@neus/sdk 1.0.2 → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. package/README.md +53 -75
  2. package/SECURITY.md +33 -29
  3. package/cjs/client.cjs +678 -337
  4. package/cjs/errors.cjs +1 -0
  5. package/cjs/gates.cjs +1 -0
  6. package/cjs/index.cjs +927 -362
  7. package/cjs/utils.cjs +408 -32
  8. package/cli/neus.mjs +58 -0
  9. package/client.js +1957 -1728
  10. package/errors.js +5 -5
  11. package/gates.js +18 -18
  12. package/index.js +18 -3
  13. package/neus-logo.svg +3 -0
  14. package/package.json +21 -11
  15. package/types.d.ts +303 -53
  16. package/utils.js +1291 -777
  17. package/widgets/README.md +12 -20
  18. package/widgets/index.js +9 -9
  19. package/widgets/verify-gate/dist/ProofBadge.js +57 -52
  20. package/widgets/verify-gate/dist/VerifyGate.js +357 -121
  21. package/widgets/verify-gate/index.js +13 -13
package/client.js CHANGED
@@ -1,1729 +1,1958 @@
1
- /**
2
- * NEUS SDK Client
3
- * Create and verify cryptographic proofs across applications
4
- * @license Apache-2.0
5
- */
6
-
7
- import { ApiError, ValidationError, NetworkError, ConfigurationError } from './errors.js';
8
- import { constructVerificationMessage, validateWalletAddress, NEUS_CONSTANTS } from './utils.js';
9
-
10
- // Validation for supported verifiers
11
- const validateVerifierData = (verifierId, data) => {
12
- if (!data || typeof data !== 'object') {
13
- return { valid: false, error: 'Data object is required' };
14
- }
15
-
16
- // Validate wallet address if present
17
- // Validate owner/ownerAddress fields based on verifier type
18
- const ownerField = (verifierId === 'nft-ownership' || verifierId === 'token-holding') ? 'ownerAddress' : 'owner';
19
- if (data[ownerField] && !validateWalletAddress(data[ownerField])) {
20
- return { valid: false, error: `Invalid ${ownerField} address` };
21
- }
22
-
23
- // Format validation for supported verifiers
24
- switch (verifierId) {
25
- case 'ownership-basic':
26
- // Required: owner (must match request walletAddress).
27
- // Reference is optional when content/contentHash is provided.
28
- // If neither content nor contentHash is provided, reference.id is required (reference-only proof).
29
- if (!data.owner || !validateWalletAddress(data.owner)) {
30
- return { valid: false, error: 'owner (wallet address) is required' };
31
- }
32
- if (data.content !== undefined && data.content !== null) {
33
- if (typeof data.content !== 'string') {
34
- return { valid: false, error: 'content must be a string when provided' };
35
- }
36
- if (data.content.length > 50000) {
37
- return { valid: false, error: 'content exceeds 50KB inline limit' };
38
- }
39
- }
40
- if (data.contentHash !== undefined && data.contentHash !== null) {
41
- if (typeof data.contentHash !== 'string' || !/^0x[a-fA-F0-9]{64}$/.test(data.contentHash)) {
42
- return { valid: false, error: 'contentHash must be a 32-byte hex string (0x + 64 hex chars) when provided' };
43
- }
44
- }
45
- if (data.contentType !== undefined && data.contentType !== null) {
46
- if (typeof data.contentType !== 'string' || data.contentType.length > 100) {
47
- return { valid: false, error: 'contentType must be a string (max 100 chars) when provided' };
48
- }
49
- const base = String(data.contentType).split(';')[0].trim().toLowerCase();
50
- // Minimal MIME sanity check (server validates more precisely).
51
- if (!base || base.includes(' ') || !base.includes('/')) {
52
- return { valid: false, error: 'contentType must be a valid MIME type when provided' };
53
- }
54
- }
55
- if (data.provenance !== undefined && data.provenance !== null) {
56
- if (!data.provenance || typeof data.provenance !== 'object' || Array.isArray(data.provenance)) {
57
- return { valid: false, error: 'provenance must be an object when provided' };
58
- }
59
- const dk = data.provenance.declaredKind;
60
- if (dk !== undefined && dk !== null) {
61
- const allowed = ['human', 'ai', 'mixed', 'unknown'];
62
- if (typeof dk !== 'string' || !allowed.includes(dk)) {
63
- return { valid: false, error: `provenance.declaredKind must be one of: ${allowed.join(', ')}` };
64
- }
65
- }
66
- const ai = data.provenance.aiContext;
67
- if (ai !== undefined && ai !== null) {
68
- if (typeof ai !== 'object' || Array.isArray(ai)) {
69
- return { valid: false, error: 'provenance.aiContext must be an object when provided' };
70
- }
71
- if (ai.generatorType !== undefined && ai.generatorType !== null) {
72
- const allowed = ['local', 'saas', 'agent'];
73
- if (typeof ai.generatorType !== 'string' || !allowed.includes(ai.generatorType)) {
74
- return { valid: false, error: `provenance.aiContext.generatorType must be one of: ${allowed.join(', ')}` };
75
- }
76
- }
77
- if (ai.provider !== undefined && ai.provider !== null) {
78
- if (typeof ai.provider !== 'string' || ai.provider.length > 64) {
79
- return { valid: false, error: 'provenance.aiContext.provider must be a string (max 64 chars) when provided' };
80
- }
81
- }
82
- if (ai.model !== undefined && ai.model !== null) {
83
- if (typeof ai.model !== 'string' || ai.model.length > 128) {
84
- return { valid: false, error: 'provenance.aiContext.model must be a string (max 128 chars) when provided' };
85
- }
86
- }
87
- if (ai.runId !== undefined && ai.runId !== null) {
88
- if (typeof ai.runId !== 'string' || ai.runId.length > 128) {
89
- return { valid: false, error: 'provenance.aiContext.runId must be a string (max 128 chars) when provided' };
90
- }
91
- }
92
- }
93
- }
94
- if (data.reference !== undefined) {
95
- if (!data.reference || typeof data.reference !== 'object') {
96
- return { valid: false, error: 'reference must be an object when provided' };
97
- }
98
- if (!data.reference.type || typeof data.reference.type !== 'string') {
99
- // Only required when reference object is present (or when doing reference-only proofs).
100
- // Server requires reference.type when reference is used for traceability.
101
- return { valid: false, error: 'reference.type is required when reference is provided' };
102
- }
103
- }
104
- if (!data.content && !data.contentHash) {
105
- if (!data.reference || typeof data.reference !== 'object') {
106
- return { valid: false, error: 'reference is required when neither content nor contentHash is provided' };
107
- }
108
- if (!data.reference.id || typeof data.reference.id !== 'string') {
109
- return { valid: false, error: 'reference.id is required when neither content nor contentHash is provided' };
110
- }
111
- if (!data.reference.type || typeof data.reference.type !== 'string') {
112
- return { valid: false, error: 'reference.type is required when neither content nor contentHash is provided' };
113
- }
114
- }
115
- break;
116
- case 'nft-ownership':
117
- // ownerAddress is optional; server injects from request walletAddress when omitted.
118
- if (
119
- !data.contractAddress ||
120
- data.tokenId === null ||
121
- data.tokenId === undefined ||
122
- typeof data.chainId !== 'number'
123
- ) {
124
- return { valid: false, error: 'contractAddress, tokenId, and chainId are required' };
125
- }
126
- if (data.tokenType !== undefined && data.tokenType !== null) {
127
- const tt = String(data.tokenType).toLowerCase();
128
- if (tt !== 'erc721' && tt !== 'erc1155') {
129
- return { valid: false, error: 'tokenType must be one of: erc721, erc1155' };
130
- }
131
- }
132
- if (data.blockNumber !== undefined && data.blockNumber !== null && !Number.isInteger(data.blockNumber)) {
133
- return { valid: false, error: 'blockNumber must be an integer when provided' };
134
- }
135
- if (data.ownerAddress && !validateWalletAddress(data.ownerAddress)) {
136
- return { valid: false, error: 'Invalid ownerAddress' };
137
- }
138
- if (!validateWalletAddress(data.contractAddress)) {
139
- return { valid: false, error: 'Invalid contractAddress' };
140
- }
141
- break;
142
- case 'token-holding':
143
- // ownerAddress is optional; server injects from request walletAddress when omitted.
144
- if (
145
- !data.contractAddress ||
146
- data.minBalance === null ||
147
- data.minBalance === undefined ||
148
- typeof data.chainId !== 'number'
149
- ) {
150
- return { valid: false, error: 'contractAddress, minBalance, and chainId are required' };
151
- }
152
- if (data.blockNumber !== undefined && data.blockNumber !== null && !Number.isInteger(data.blockNumber)) {
153
- return { valid: false, error: 'blockNumber must be an integer when provided' };
154
- }
155
- if (data.ownerAddress && !validateWalletAddress(data.ownerAddress)) {
156
- return { valid: false, error: 'Invalid ownerAddress' };
157
- }
158
- if (!validateWalletAddress(data.contractAddress)) {
159
- return { valid: false, error: 'Invalid contractAddress' };
160
- }
161
- break;
162
- case 'ownership-dns-txt':
163
- if (!data.domain || typeof data.domain !== 'string') {
164
- return { valid: false, error: 'domain is required' };
165
- }
166
- if (data.walletAddress && !validateWalletAddress(data.walletAddress)) {
167
- return { valid: false, error: 'Invalid walletAddress' };
168
- }
169
- break;
170
- case 'wallet-link':
171
- if (!data.primaryWalletAddress || !validateWalletAddress(data.primaryWalletAddress)) {
172
- return { valid: false, error: 'primaryWalletAddress is required' };
173
- }
174
- if (!data.secondaryWalletAddress || !validateWalletAddress(data.secondaryWalletAddress)) {
175
- return { valid: false, error: 'secondaryWalletAddress is required' };
176
- }
177
- if (!data.signature || typeof data.signature !== 'string') {
178
- return { valid: false, error: 'signature is required (signed by secondary wallet)' };
179
- }
180
- if (typeof data.chainId !== 'number') {
181
- return { valid: false, error: 'chainId is required' };
182
- }
183
- if (typeof data.signedTimestamp !== 'number') {
184
- return { valid: false, error: 'signedTimestamp is required' };
185
- }
186
- break;
187
- case 'contract-ownership':
188
- if (!data.contractAddress || !validateWalletAddress(data.contractAddress)) {
189
- return { valid: false, error: 'contractAddress is required' };
190
- }
191
- if (data.walletAddress && !validateWalletAddress(data.walletAddress)) {
192
- return { valid: false, error: 'Invalid walletAddress' };
193
- }
194
- if (typeof data.chainId !== 'number') {
195
- return { valid: false, error: 'chainId is required' };
196
- }
197
- break;
198
- case 'agent-identity':
199
- if (!data.agentId || typeof data.agentId !== 'string' || data.agentId.length < 1 || data.agentId.length > 128) {
200
- return { valid: false, error: 'agentId is required (1-128 chars)' };
201
- }
202
- if (!data.agentWallet || !validateWalletAddress(data.agentWallet)) {
203
- return { valid: false, error: 'agentWallet is required' };
204
- }
205
- if (data.agentType && !['ai', 'bot', 'service', 'automation', 'agent'].includes(data.agentType)) {
206
- return { valid: false, error: 'agentType must be one of: ai, bot, service, automation, agent' };
207
- }
208
- break;
209
- case 'agent-delegation':
210
- if (!data.controllerWallet || !validateWalletAddress(data.controllerWallet)) {
211
- return { valid: false, error: 'controllerWallet is required' };
212
- }
213
- if (!data.agentWallet || !validateWalletAddress(data.agentWallet)) {
214
- return { valid: false, error: 'agentWallet is required' };
215
- }
216
- if (data.scope && (typeof data.scope !== 'string' || data.scope.length > 128)) {
217
- return { valid: false, error: 'scope must be a string (max 128 chars)' };
218
- }
219
- if (data.expiresAt && (typeof data.expiresAt !== 'number' || data.expiresAt < Date.now())) {
220
- return { valid: false, error: 'expiresAt must be a future timestamp' };
221
- }
222
- break;
223
- case 'ai-content-moderation':
224
- if (!data.content || typeof data.content !== 'string') {
225
- return { valid: false, error: 'content is required' };
226
- }
227
- if (!data.contentType || typeof data.contentType !== 'string') {
228
- return { valid: false, error: 'contentType (MIME type) is required' };
229
- }
230
- {
231
- // Only allow content types that are actually moderated (no "verified but skipped" bypass).
232
- const contentType = String(data.contentType).split(';')[0].trim().toLowerCase();
233
- const validTypes = [
234
- 'image/jpeg',
235
- 'image/png',
236
- 'image/webp',
237
- 'image/gif',
238
- 'text/plain',
239
- 'text/markdown',
240
- 'text/x-markdown',
241
- 'application/json',
242
- 'application/xml'
243
- ];
244
- if (!validTypes.includes(contentType)) {
245
- return { valid: false, error: `contentType must be one of: ${validTypes.join(', ')}` };
246
- }
247
- const isTextual = contentType.startsWith('text/') || contentType.includes('markdown');
248
- if (isTextual) {
249
- // Backend enforces 50KB UTF-8 limit for textual moderation payloads.
250
- try {
251
- const maxBytes = 50 * 1024;
252
- const bytes = (typeof TextEncoder !== 'undefined')
253
- ? new TextEncoder().encode(data.content).length
254
- : String(data.content).length;
255
- if (bytes > maxBytes) {
256
- return { valid: false, error: `content exceeds ${maxBytes} bytes limit for ai-content-moderation verifier (text)` };
257
- }
258
- } catch {
259
- // If encoding fails, defer to server.
260
- }
261
- }
262
- }
263
- if (data.content.length > 13653334) {
264
- return { valid: false, error: 'content exceeds 10MB limit' };
265
- }
266
- break;
267
- case 'ownership-pseudonym':
268
- if (!data.pseudonymId || typeof data.pseudonymId !== 'string') {
269
- return { valid: false, error: 'pseudonymId is required' };
270
- }
271
- // Validate handle format (3-64 chars, lowercase alphanumeric with ._-)
272
- if (!/^[a-z0-9._-]{3,64}$/.test(data.pseudonymId.trim().toLowerCase())) {
273
- return { valid: false, error: 'pseudonymId must be 3-64 characters, lowercase alphanumeric with dots, underscores, or hyphens' };
274
- }
275
- // Validate namespace if provided (1-64 chars)
276
- if (data.namespace && typeof data.namespace === 'string') {
277
- if (!/^[a-z0-9._-]{1,64}$/.test(data.namespace.trim().toLowerCase())) {
278
- return { valid: false, error: 'namespace must be 1-64 characters, lowercase alphanumeric with dots, underscores, or hyphens' };
279
- }
280
- }
281
- // Note: signature is not required - envelope signature provides authentication
282
- break;
283
- case 'wallet-risk':
284
- if (data.walletAddress && !validateWalletAddress(data.walletAddress)) {
285
- return { valid: false, error: 'Invalid walletAddress' };
286
- }
287
- break;
288
- }
289
-
290
- return { valid: true };
291
- };
292
-
293
- export class NeusClient {
294
- constructor(config = {}) {
295
- this.config = {
296
- timeout: 30000,
297
- enableLogging: false,
298
- ...config
299
- };
300
-
301
- // NEUS Network API
302
- this.baseUrl = this.config.apiUrl || 'https://api.neus.network';
303
- // Enforce HTTPS for neus.network domains to satisfy CSP and normalize URLs
304
- try {
305
- const url = new URL(this.baseUrl);
306
- if (url.hostname.endsWith('neus.network') && url.protocol === 'http:') {
307
- url.protocol = 'https:';
308
- }
309
- // Always remove trailing slash for consistency
310
- this.baseUrl = url.toString().replace(/\/$/, '');
311
- } catch {
312
- // If invalid URL string, leave as-is
1
+ import { ApiError, ValidationError, NetworkError, ConfigurationError } from './errors.js';
2
+ import {
3
+ PORTABLE_PROOF_SIGNER_HEADER,
4
+ constructVerificationMessage,
5
+ validateWalletAddress,
6
+ validateUniversalAddress,
7
+ signMessage,
8
+ NEUS_CONSTANTS
9
+ } from './utils.js';
10
+
11
+ const FALLBACK_PUBLIC_VERIFIER_CATALOG = {
12
+ 'ownership-basic': { supportsDirectApi: true },
13
+ 'ownership-pseudonym': { supportsDirectApi: true },
14
+ 'ownership-dns-txt': { supportsDirectApi: true },
15
+ 'ownership-social': { supportsDirectApi: false },
16
+ 'ownership-org-oauth': { supportsDirectApi: false },
17
+ 'contract-ownership': { supportsDirectApi: true },
18
+ 'nft-ownership': { supportsDirectApi: true },
19
+ 'token-holding': { supportsDirectApi: true },
20
+ 'wallet-link': { supportsDirectApi: true },
21
+ 'wallet-risk': { supportsDirectApi: true },
22
+ 'proof-of-human': { supportsDirectApi: false },
23
+ 'agent-identity': { supportsDirectApi: true },
24
+ 'agent-delegation': { supportsDirectApi: true },
25
+ 'ai-content-moderation': { supportsDirectApi: true }
26
+ };
27
+
28
+ const EVM_ADDRESS_RE = /^0x[a-fA-F0-9]{40}$/;
29
+
30
+ const validateVerifierData = (verifierId, data) => {
31
+ if (!data || typeof data !== 'object') {
32
+ return { valid: false, error: 'Data object is required' };
33
+ }
34
+
35
+ switch (verifierId) {
36
+ case 'ownership-basic':
37
+ if (!data.owner || !validateUniversalAddress(data.owner, typeof data.chain === 'string' ? data.chain : undefined)) {
38
+ return { valid: false, error: 'owner (universal wallet address) is required' };
39
+ }
40
+ if (data.content !== undefined && data.content !== null) {
41
+ if (typeof data.content !== 'string') {
42
+ return { valid: false, error: 'content must be a string when provided' };
43
+ }
44
+ if (data.content.length > 50000) {
45
+ return { valid: false, error: 'content exceeds 50KB inline limit' };
46
+ }
47
+ }
48
+ if (data.contentHash !== undefined && data.contentHash !== null) {
49
+ if (typeof data.contentHash !== 'string' || !/^0x[a-fA-F0-9]{64}$/.test(data.contentHash)) {
50
+ return { valid: false, error: 'contentHash must be a 32-byte hex string (0x + 64 hex chars) when provided' };
51
+ }
52
+ }
53
+ if (data.contentType !== undefined && data.contentType !== null) {
54
+ if (typeof data.contentType !== 'string' || data.contentType.length > 100) {
55
+ return { valid: false, error: 'contentType must be a string (max 100 chars) when provided' };
56
+ }
57
+ const base = String(data.contentType).split(';')[0].trim().toLowerCase();
58
+ // Minimal MIME sanity check (server validates more precisely).
59
+ if (!base || base.includes(' ') || !base.includes('/')) {
60
+ return { valid: false, error: 'contentType must be a valid MIME type when provided' };
61
+ }
62
+ }
63
+ if (data.provenance !== undefined && data.provenance !== null) {
64
+ if (!data.provenance || typeof data.provenance !== 'object' || Array.isArray(data.provenance)) {
65
+ return { valid: false, error: 'provenance must be an object when provided' };
66
+ }
67
+ const dk = data.provenance.declaredKind;
68
+ if (dk !== undefined && dk !== null) {
69
+ const allowed = ['human', 'ai', 'mixed', 'unknown'];
70
+ if (typeof dk !== 'string' || !allowed.includes(dk)) {
71
+ return { valid: false, error: `provenance.declaredKind must be one of: ${allowed.join(', ')}` };
72
+ }
73
+ }
74
+ const ai = data.provenance.aiContext;
75
+ if (ai !== undefined && ai !== null) {
76
+ if (typeof ai !== 'object' || Array.isArray(ai)) {
77
+ return { valid: false, error: 'provenance.aiContext must be an object when provided' };
78
+ }
79
+ if (ai.generatorType !== undefined && ai.generatorType !== null) {
80
+ const allowed = ['local', 'saas', 'agent'];
81
+ if (typeof ai.generatorType !== 'string' || !allowed.includes(ai.generatorType)) {
82
+ return { valid: false, error: `provenance.aiContext.generatorType must be one of: ${allowed.join(', ')}` };
83
+ }
84
+ }
85
+ if (ai.provider !== undefined && ai.provider !== null) {
86
+ if (typeof ai.provider !== 'string' || ai.provider.length > 64) {
87
+ return { valid: false, error: 'provenance.aiContext.provider must be a string (max 64 chars) when provided' };
88
+ }
89
+ }
90
+ if (ai.model !== undefined && ai.model !== null) {
91
+ if (typeof ai.model !== 'string' || ai.model.length > 128) {
92
+ return { valid: false, error: 'provenance.aiContext.model must be a string (max 128 chars) when provided' };
93
+ }
94
+ }
95
+ if (ai.runId !== undefined && ai.runId !== null) {
96
+ if (typeof ai.runId !== 'string' || ai.runId.length > 128) {
97
+ return { valid: false, error: 'provenance.aiContext.runId must be a string (max 128 chars) when provided' };
98
+ }
99
+ }
100
+ }
101
+ }
102
+ if (data.reference !== undefined) {
103
+ if (!data.reference || typeof data.reference !== 'object') {
104
+ return { valid: false, error: 'reference must be an object when provided' };
105
+ }
106
+ if (!data.reference.type || typeof data.reference.type !== 'string') {
107
+ // Only required when reference object is present (or when doing reference-only proofs).
108
+ // Server requires reference.type when reference is used for traceability.
109
+ return { valid: false, error: 'reference.type is required when reference is provided' };
110
+ }
111
+ }
112
+ if (!data.content && !data.contentHash) {
113
+ if (!data.reference || typeof data.reference !== 'object') {
114
+ return { valid: false, error: 'reference is required when neither content nor contentHash is provided' };
115
+ }
116
+ if (!data.reference.id || typeof data.reference.id !== 'string') {
117
+ return { valid: false, error: 'reference.id is required when neither content nor contentHash is provided' };
118
+ }
119
+ if (!data.reference.type || typeof data.reference.type !== 'string') {
120
+ return { valid: false, error: 'reference.type is required when neither content nor contentHash is provided' };
121
+ }
122
+ }
123
+ break;
124
+ case 'nft-ownership':
125
+ // ownerAddress is optional; server injects from request walletAddress when omitted.
126
+ if (
127
+ !data.contractAddress ||
128
+ data.tokenId === null ||
129
+ data.tokenId === undefined ||
130
+ typeof data.chainId !== 'number'
131
+ ) {
132
+ return { valid: false, error: 'contractAddress, tokenId, and chainId are required' };
133
+ }
134
+ if (data.tokenType !== undefined && data.tokenType !== null) {
135
+ const tt = String(data.tokenType).toLowerCase();
136
+ if (tt !== 'erc721' && tt !== 'erc1155') {
137
+ return { valid: false, error: 'tokenType must be one of: erc721, erc1155' };
138
+ }
139
+ }
140
+ if (data.blockNumber !== undefined && data.blockNumber !== null && !Number.isInteger(data.blockNumber)) {
141
+ return { valid: false, error: 'blockNumber must be an integer when provided' };
142
+ }
143
+ if (data.ownerAddress && !validateWalletAddress(data.ownerAddress)) {
144
+ return { valid: false, error: 'Invalid ownerAddress' };
145
+ }
146
+ if (!validateWalletAddress(data.contractAddress)) {
147
+ return { valid: false, error: 'Invalid contractAddress' };
148
+ }
149
+ break;
150
+ case 'token-holding':
151
+ // ownerAddress is optional; server injects from request walletAddress when omitted.
152
+ if (
153
+ !data.contractAddress ||
154
+ data.minBalance === null ||
155
+ data.minBalance === undefined ||
156
+ typeof data.chainId !== 'number'
157
+ ) {
158
+ return { valid: false, error: 'contractAddress, minBalance, and chainId are required' };
159
+ }
160
+ if (data.blockNumber !== undefined && data.blockNumber !== null && !Number.isInteger(data.blockNumber)) {
161
+ return { valid: false, error: 'blockNumber must be an integer when provided' };
162
+ }
163
+ if (data.ownerAddress && !validateWalletAddress(data.ownerAddress)) {
164
+ return { valid: false, error: 'Invalid ownerAddress' };
165
+ }
166
+ if (!validateWalletAddress(data.contractAddress)) {
167
+ return { valid: false, error: 'Invalid contractAddress' };
168
+ }
169
+ break;
170
+ case 'ownership-dns-txt':
171
+ if (!data.domain || typeof data.domain !== 'string') {
172
+ return { valid: false, error: 'domain is required' };
173
+ }
174
+ if (data.walletAddress && !validateWalletAddress(data.walletAddress)) {
175
+ return { valid: false, error: 'Invalid walletAddress' };
176
+ }
177
+ break;
178
+ case 'wallet-link':
179
+ if (!data.primaryWalletAddress || !validateUniversalAddress(data.primaryWalletAddress, data.chain)) {
180
+ return { valid: false, error: 'primaryWalletAddress is required' };
181
+ }
182
+ if (!data.secondaryWalletAddress || !validateUniversalAddress(data.secondaryWalletAddress, data.chain)) {
183
+ return { valid: false, error: 'secondaryWalletAddress is required' };
184
+ }
185
+ if (!data.signature || typeof data.signature !== 'string') {
186
+ return { valid: false, error: 'signature is required (signed by secondary wallet)' };
187
+ }
188
+ if (typeof data.chain !== 'string' || !/^[a-z0-9]+:[^\s]+$/.test(data.chain)) {
189
+ return { valid: false, error: 'chain is required (namespace:reference)' };
190
+ }
191
+ if (typeof data.signatureMethod !== 'string' || !data.signatureMethod.trim()) {
192
+ return { valid: false, error: 'signatureMethod is required' };
193
+ }
194
+ if (typeof data.signedTimestamp !== 'number') {
195
+ return { valid: false, error: 'signedTimestamp is required' };
196
+ }
197
+ break;
198
+ case 'contract-ownership':
199
+ if (!data.contractAddress || !validateWalletAddress(data.contractAddress)) {
200
+ return { valid: false, error: 'contractAddress is required' };
201
+ }
202
+ if (data.walletAddress && !validateWalletAddress(data.walletAddress)) {
203
+ return { valid: false, error: 'Invalid walletAddress' };
204
+ }
205
+ if (typeof data.chainId !== 'number') {
206
+ return { valid: false, error: 'chainId is required' };
207
+ }
208
+ break;
209
+ case 'agent-identity':
210
+ if (!data.agentId || typeof data.agentId !== 'string' || data.agentId.length < 1 || data.agentId.length > 128) {
211
+ return { valid: false, error: 'agentId is required (1-128 chars)' };
212
+ }
213
+ if (!data.agentWallet || !validateWalletAddress(data.agentWallet)) {
214
+ return { valid: false, error: 'agentWallet is required' };
215
+ }
216
+ if (data.agentType && !['ai', 'bot', 'service', 'automation', 'agent'].includes(data.agentType)) {
217
+ return { valid: false, error: 'agentType must be one of: ai, bot, service, automation, agent' };
218
+ }
219
+ break;
220
+ case 'agent-delegation':
221
+ if (!data.controllerWallet || !validateWalletAddress(data.controllerWallet)) {
222
+ return { valid: false, error: 'controllerWallet is required' };
223
+ }
224
+ if (!data.agentWallet || !validateWalletAddress(data.agentWallet)) {
225
+ return { valid: false, error: 'agentWallet is required' };
226
+ }
227
+ if (data.scope && (typeof data.scope !== 'string' || data.scope.length > 128)) {
228
+ return { valid: false, error: 'scope must be a string (max 128 chars)' };
229
+ }
230
+ if (data.expiresAt && (typeof data.expiresAt !== 'number' || data.expiresAt < Date.now())) {
231
+ return { valid: false, error: 'expiresAt must be a future timestamp' };
232
+ }
233
+ break;
234
+ case 'ai-content-moderation':
235
+ if (!data.content || typeof data.content !== 'string') {
236
+ return { valid: false, error: 'content is required' };
237
+ }
238
+ if (!data.contentType || typeof data.contentType !== 'string') {
239
+ return { valid: false, error: 'contentType (MIME type) is required' };
240
+ }
241
+ {
242
+ // Only allow content types that are actually moderated (no "verified but skipped" bypass).
243
+ const contentType = String(data.contentType).split(';')[0].trim().toLowerCase();
244
+ const validTypes = [
245
+ 'image/jpeg',
246
+ 'image/png',
247
+ 'image/webp',
248
+ 'image/gif',
249
+ 'text/plain',
250
+ 'text/markdown',
251
+ 'text/x-markdown',
252
+ 'application/json',
253
+ 'application/xml'
254
+ ];
255
+ if (!validTypes.includes(contentType)) {
256
+ return { valid: false, error: `contentType must be one of: ${validTypes.join(', ')}` };
257
+ }
258
+ const isTextual = contentType.startsWith('text/') || contentType.includes('markdown');
259
+ if (isTextual) {
260
+ // Backend enforces 50KB UTF-8 limit for textual moderation payloads.
261
+ try {
262
+ const maxBytes = 50 * 1024;
263
+ const bytes = (typeof TextEncoder !== 'undefined')
264
+ ? new TextEncoder().encode(data.content).length
265
+ : String(data.content).length;
266
+ if (bytes > maxBytes) {
267
+ return {
268
+ valid: false,
269
+ error: `content exceeds ${maxBytes} bytes limit for ai-content-moderation verifier (text)`
270
+ };
271
+ }
272
+ } catch {
273
+ // If encoding fails, defer to server.
274
+ }
275
+ }
276
+ }
277
+ if (data.content.length > 13653334) {
278
+ return { valid: false, error: 'content exceeds 10MB limit' };
279
+ }
280
+ break;
281
+ case 'ownership-pseudonym':
282
+ if (!data.pseudonymId || typeof data.pseudonymId !== 'string') {
283
+ return { valid: false, error: 'pseudonymId is required' };
284
+ }
285
+ // Validate handle format (3-64 chars, lowercase alphanumeric with ._-)
286
+ if (!/^[a-z0-9._-]{3,64}$/.test(data.pseudonymId.trim().toLowerCase())) {
287
+ return { valid: false, error: 'pseudonymId must be 3-64 characters, lowercase alphanumeric with dots, underscores, or hyphens' };
288
+ }
289
+ // Validate namespace if provided (1-64 chars)
290
+ if (data.namespace && typeof data.namespace === 'string') {
291
+ if (!/^[a-z0-9._-]{1,64}$/.test(data.namespace.trim().toLowerCase())) {
292
+ return { valid: false, error: 'namespace must be 1-64 characters, lowercase alphanumeric with dots, underscores, or hyphens' };
293
+ }
294
+ }
295
+ // Note: signature is not required - envelope signature provides authentication
296
+ break;
297
+ case 'wallet-risk':
298
+ if (data.walletAddress && !validateUniversalAddress(data.walletAddress, data.chain)) {
299
+ return { valid: false, error: 'Invalid walletAddress' };
300
+ }
301
+ break;
302
+ }
303
+
304
+ return { valid: true };
305
+ };
306
+
307
+ export class NeusClient {
308
+ constructor(config = {}) {
309
+ this.config = {
310
+ timeout: 30000,
311
+ enableLogging: false,
312
+ ...config
313
+ };
314
+
315
+ this.baseUrl = this.config.apiUrl || 'https://api.neus.network';
316
+ // Enforce HTTPS for neus.network domains to satisfy CSP and normalize URLs
317
+ try {
318
+ const url = new URL(this.baseUrl);
319
+ if (url.hostname.endsWith('neus.network') && url.protocol === 'http:') {
320
+ url.protocol = 'https:';
321
+ }
322
+ // Always remove trailing slash for consistency
323
+ this.baseUrl = url.toString().replace(/\/$/, '');
324
+ } catch {
325
+ // If invalid URL string, leave as-is
326
+ }
327
+ this.config.apiUrl = this.baseUrl;
328
+
329
+ // Default headers
330
+
331
+ this.defaultHeaders = {
332
+ 'Content-Type': 'application/json',
333
+ 'Accept': 'application/json',
334
+ 'X-Neus-Sdk': 'js'
335
+ };
336
+
337
+ if (typeof this.config.apiKey === 'string' && this.config.apiKey.trim().length > 0) {
338
+ this.defaultHeaders['Authorization'] = `Bearer ${this.config.apiKey.trim()}`;
339
+ }
340
+ if (typeof this.config.appId === 'string' && this.config.appId.trim().length > 0) {
341
+ this.defaultHeaders['X-Neus-App'] = this.config.appId.trim();
342
+ }
343
+ if (typeof this.config.paymentSignature === 'string' && this.config.paymentSignature.trim().length > 0) {
344
+ this.defaultHeaders['PAYMENT-SIGNATURE'] = this.config.paymentSignature.trim();
313
345
  }
314
- // Normalize apiUrl on config
315
- this.config.apiUrl = this.baseUrl;
316
- // Default headers for API requests
317
- this.defaultHeaders = {
318
- 'Content-Type': 'application/json',
319
- 'Accept': 'application/json',
320
- 'X-Neus-Sdk': 'js'
321
- };
322
-
323
- // Optional API key (server-side only; do not embed in browser apps)
324
- if (typeof this.config.apiKey === 'string' && this.config.apiKey.trim().length > 0) {
325
- this.defaultHeaders['Authorization'] = `Bearer ${this.config.apiKey.trim()}`;
326
- }
327
- try {
328
- // Attach origin in browser environments
329
- if (typeof window !== 'undefined' && window.location && window.location.origin) {
330
- this.defaultHeaders['X-Client-Origin'] = window.location.origin;
331
- }
332
- } catch {
333
- // ignore: optional browser metadata header
334
- }
335
- }
336
-
337
- // ============================================================================
338
- // CORE VERIFICATION METHODS
339
- // ============================================================================
340
-
341
- /**
342
- * VERIFY - Standard verification (auto or manual)
343
- *
344
- * Create proofs with complete control over the verification process.
345
- * If signature and walletAddress are omitted but verifier/content are provided,
346
- * this method performs the wallet flow inline (no aliases, no secondary methods).
347
- *
348
- * @param {Object} params - Verification parameters
349
- * @param {Array<string>} [params.verifierIds] - Array of verifier IDs (manual path)
350
- * @param {Object} [params.data] - Verification data object (manual path)
351
- * @param {string} [params.walletAddress] - Wallet address that signed the request (manual path)
352
- * @param {string} [params.signature] - EIP-191 signature (manual path)
353
- * @param {number} [params.signedTimestamp] - Unix timestamp when signature was created (manual path)
354
- * @param {number} [params.chainId] - Chain ID for verification context (optional, managed by protocol)
355
- * @param {Object} [params.options] - Additional options
356
- * @param {string} [params.verifier] - Verifier ID (auto path)
357
- * @param {string} [params.content] - Content/description (auto path)
358
- * @param {Object} [params.wallet] - Optional injected wallet/provider (auto path)
359
- * @returns {Promise<Object>} Verification result with qHash
360
- *
361
- * @example
362
- * const proof = await client.verify({
363
- * verifierIds: ['ownership-basic'],
364
- * data: {
365
- * content: "My content",
366
- * owner: walletAddress, // or ownerAddress for nft-ownership/token-holding
367
- * reference: { type: 'other', id: 'my-unique-identifier' }
368
- * },
369
- * walletAddress: '0x...',
370
- * signature: '0x...',
371
- * signedTimestamp: Date.now(),
372
- * options: { targetChains: [421614, 11155111] }
373
- * });
374
- */
375
- /**
376
- * Create a verification proof
377
- *
378
- * @param {Object} params - Verification parameters
379
- * @param {string} [params.verifier] - Verifier ID (e.g., 'ownership-basic')
380
- * @param {string} [params.content] - Content to verify
381
- * @param {Object} [params.data] - Structured verification data
382
- * @param {Object} [params.wallet] - Wallet provider
383
- * @param {Object} [params.options] - Additional options
384
- * @returns {Promise<Object>} Verification result with qHash
385
- *
386
- * @example
387
- * // Simple ownership proof
388
- * const proof = await client.verify({
389
- * verifier: 'ownership-basic',
390
- * content: 'Hello World',
391
- * wallet: window.ethereum
392
- * });
393
- */
394
- async verify(params) {
395
- // Auto path: if no manual signature fields but auto fields are provided, perform inline wallet flow
396
- if ((!params?.signature || !params?.walletAddress) && (params?.verifier || params?.content || params?.data)) {
397
- const { content, verifier = 'ownership-basic', data = null, wallet = null, options = {} } = params;
398
-
399
- // ownership-basic: content required for simple mode, but data param mode allows contentHash or reference
400
- if (verifier === 'ownership-basic' && !data && (!content || typeof content !== 'string')) {
401
- throw new ValidationError('content is required and must be a string (or use data param with owner + reference)');
402
- }
403
-
404
- const validVerifiers = [
405
- 'ownership-basic',
406
- 'ownership-pseudonym', // Pseudonymous identity (public)
407
- 'nft-ownership',
408
- 'token-holding',
409
- 'ownership-dns-txt',
410
- 'wallet-link',
411
- 'contract-ownership',
412
- 'wallet-risk', // Wallet risk assessment (public)
413
- // AI & Agent verifiers (ERC-8004 aligned)
414
- 'agent-identity',
415
- 'agent-delegation',
416
- 'ai-content-moderation'
417
- ];
418
- if (!validVerifiers.includes(verifier)) {
419
- throw new ValidationError(`Invalid verifier '${verifier}'. Must be one of: ${validVerifiers.join(', ')}.`);
420
- }
421
-
422
- // These verifiers require explicit data parameter (no auto-path)
423
- const requiresDataParam = [
424
- 'ownership-dns-txt',
425
- 'wallet-link',
426
- 'contract-ownership',
427
- 'ownership-pseudonym',
428
- 'wallet-risk',
429
- 'agent-identity',
430
- 'agent-delegation',
431
- 'ai-content-moderation'
432
- ];
433
- if (requiresDataParam.includes(verifier)) {
434
- if (!data || typeof data !== 'object') {
435
- throw new ValidationError(`${verifier} requires explicit data parameter. Cannot use auto-path.`);
436
- }
437
- }
438
-
439
- // Auto-detect wallet and get address
440
- let walletAddress, provider;
441
- if (wallet) {
442
- walletAddress = wallet.address || wallet.selectedAddress;
443
- provider = wallet.provider || wallet;
444
- } else {
445
- if (typeof window === 'undefined' || !window.ethereum) {
446
- throw new ConfigurationError('No Web3 wallet detected. Please install MetaMask or provide wallet parameter.');
447
- }
448
- await window.ethereum.request({ method: 'eth_requestAccounts' });
449
- provider = window.ethereum;
450
- const accounts = await provider.request({ method: 'eth_accounts' });
451
- walletAddress = accounts[0];
452
- }
453
-
454
- // Prepare verification data based on verifier type
455
- let verificationData;
456
- if (verifier === 'ownership-basic') {
457
- if (data && typeof data === 'object') {
458
- // Data param mode: use provided data, inject owner if missing
459
- verificationData = {
460
- owner: data.owner || walletAddress,
461
- reference: data.reference,
462
- ...(data.content && { content: data.content }),
463
- ...(data.contentHash && { contentHash: data.contentHash }),
464
- ...(data.contentType && { contentType: data.contentType }),
465
- ...(data.provenance && { provenance: data.provenance })
466
- };
467
- } else {
468
- // Simple content mode: derive reference from content
469
- verificationData = {
470
- content: content,
471
- owner: walletAddress,
472
- reference: { type: 'other' }
473
- };
474
- }
475
- } else if (verifier === 'token-holding') {
476
- if (!data?.contractAddress) {
477
- throw new ValidationError('token-holding requires contractAddress in data parameter');
478
- }
479
- if (data?.minBalance === null || data?.minBalance === undefined) {
480
- throw new ValidationError('token-holding requires minBalance in data parameter');
481
- }
482
- if (typeof data?.chainId !== 'number') {
483
- throw new ValidationError('token-holding requires chainId (number) in data parameter');
484
- }
485
- verificationData = {
486
- ownerAddress: walletAddress,
487
- contractAddress: data.contractAddress,
488
- minBalance: data.minBalance,
489
- chainId: data.chainId
490
- };
491
- } else if (verifier === 'nft-ownership') {
492
- if (!data?.contractAddress) {
493
- throw new ValidationError('nft-ownership requires contractAddress in data parameter');
494
- }
495
- if (data?.tokenId === null || data?.tokenId === undefined) {
496
- throw new ValidationError('nft-ownership requires tokenId in data parameter');
497
- }
498
- if (typeof data?.chainId !== 'number') {
499
- throw new ValidationError('nft-ownership requires chainId (number) in data parameter');
500
- }
501
- verificationData = {
502
- ownerAddress: walletAddress,
503
- contractAddress: data.contractAddress,
504
- tokenId: data.tokenId,
505
- chainId: data.chainId,
506
- tokenType: data?.tokenType || 'erc721'
507
- };
508
- } else if (verifier === 'ownership-dns-txt') {
509
- if (!data?.domain) {
510
- throw new ValidationError('ownership-dns-txt requires domain in data parameter');
511
- }
512
- verificationData = {
513
- domain: data.domain,
514
- walletAddress: walletAddress
515
- };
516
- } else if (verifier === 'wallet-link') {
517
- if (!data?.secondaryWalletAddress) {
518
- throw new ValidationError('wallet-link requires secondaryWalletAddress in data parameter');
519
- }
520
- if (!data?.signature) {
521
- throw new ValidationError('wallet-link requires signature in data parameter (signed by secondary wallet)');
522
- }
523
- if (typeof data?.chainId !== 'number') {
524
- throw new ValidationError('wallet-link requires chainId (number) in data parameter');
525
- }
526
- verificationData = {
527
- primaryWalletAddress: walletAddress,
528
- secondaryWalletAddress: data.secondaryWalletAddress,
529
- signature: data.signature,
530
- chainId: data.chainId,
531
- signedTimestamp: data?.signedTimestamp || Date.now()
532
- };
533
- } else if (verifier === 'contract-ownership') {
534
- if (!data?.contractAddress) {
535
- throw new ValidationError('contract-ownership requires contractAddress in data parameter');
536
- }
537
- if (typeof data?.chainId !== 'number') {
538
- throw new ValidationError('contract-ownership requires chainId (number) in data parameter');
539
- }
540
- verificationData = {
541
- contractAddress: data.contractAddress,
542
- walletAddress: walletAddress,
543
- chainId: data.chainId,
544
- ...(data?.method && { method: data.method })
545
- };
546
- } else if (verifier === 'agent-identity') {
547
- if (!data?.agentId) {
548
- throw new ValidationError('agent-identity requires agentId in data parameter');
549
- }
550
- verificationData = {
551
- agentId: data.agentId,
552
- agentWallet: data?.agentWallet || walletAddress,
553
- ...(data?.agentLabel && { agentLabel: data.agentLabel }),
554
- ...(data?.agentType && { agentType: data.agentType }),
555
- ...(data?.description && { description: data.description }),
556
- ...(data?.capabilities && { capabilities: data.capabilities })
557
- };
558
- } else if (verifier === 'agent-delegation') {
559
- if (!data?.agentWallet) {
560
- throw new ValidationError('agent-delegation requires agentWallet in data parameter');
561
- }
562
- verificationData = {
563
- controllerWallet: data?.controllerWallet || walletAddress,
564
- agentWallet: data.agentWallet,
565
- ...(data?.agentId && { agentId: data.agentId }),
566
- ...(data?.scope && { scope: data.scope }),
567
- ...(data?.permissions && { permissions: data.permissions }),
568
- ...(data?.maxSpend && { maxSpend: data.maxSpend }),
569
- ...(data?.expiresAt && { expiresAt: data.expiresAt })
570
- };
571
- } else if (verifier === 'ai-content-moderation') {
572
- if (!data?.content) {
573
- throw new ValidationError('ai-content-moderation requires content (base64) in data parameter');
574
- }
575
- if (!data?.contentType) {
576
- throw new ValidationError('ai-content-moderation requires contentType (MIME type) in data parameter');
577
- }
578
- verificationData = {
579
- content: data.content,
580
- contentType: data.contentType,
581
- ...(data?.provider && { provider: data.provider })
582
- };
583
- } else if (verifier === 'ownership-pseudonym') {
584
- if (!data?.pseudonymId) {
585
- throw new ValidationError('ownership-pseudonym requires pseudonymId in data parameter');
586
- }
587
- verificationData = {
588
- pseudonymId: data.pseudonymId,
589
- ...(data?.namespace && { namespace: data.namespace }),
590
- ...(data?.displayName && { displayName: data.displayName }),
591
- ...(data?.metadata && { metadata: data.metadata })
592
- };
593
- } else if (verifier === 'wallet-risk') {
594
- // wallet-risk defaults to verifying the connected wallet
595
- verificationData = {
596
- walletAddress: data?.walletAddress || walletAddress,
597
- ...(data?.provider && { provider: data.provider }),
598
- // Mainnet-first semantics: if caller doesn't provide chainId, default to Ethereum mainnet (1).
599
- // This avoids accidental testnet semantics for risk providers.
600
- chainId: (typeof data?.chainId === 'number' && Number.isFinite(data.chainId)) ? data.chainId : 1,
601
- ...(data?.includeDetails !== undefined && { includeDetails: data.includeDetails })
602
- };
603
- } else {
604
- // Default structure for unknown verifiers (should not reach here with validVerifiers check)
605
- verificationData = data ? {
606
- content,
607
- owner: walletAddress,
608
- ...data
609
- } : {
610
- content,
611
- owner: walletAddress
612
- };
613
- }
614
-
615
- const signedTimestamp = Date.now();
616
- const verifierIds = [verifier];
617
- const message = constructVerificationMessage({
618
- walletAddress,
619
- signedTimestamp,
620
- data: verificationData,
621
- verifierIds,
622
- chainId: NEUS_CONSTANTS.HUB_CHAIN_ID // Protocol-managed chain
623
- });
624
-
625
- let signature;
626
- try {
627
- // UNIFIED SIGNING: Matches utils/core.ts personalSignUniversal exactly
628
- const toHexUtf8 = (s) => {
629
- try {
630
- const enc = new TextEncoder();
631
- const bytes = enc.encode(s);
632
- let hex = '0x';
633
- for (let i = 0; i < bytes.length; i++) hex += bytes[i].toString(16).padStart(2, '0');
634
- return hex;
635
- } catch {
636
- let hex = '0x';
637
- for (let i = 0; i < s.length; i++) hex += s.charCodeAt(i).toString(16).padStart(2, '0');
638
- return hex;
639
- }
640
- };
641
-
642
- // Detect Farcaster wallet - requires hex-encoded messages FIRST
643
- const isFarcasterWallet = (() => {
644
- if (typeof window === 'undefined') return false;
645
- try {
646
- const w = window;
647
- const fc = w.farcaster;
648
- if (!fc || !fc.context) return false;
649
- const fcProvider = fc.provider || fc.walletProvider || (fc.context && fc.context.walletProvider);
650
- if (fcProvider === provider) return true;
651
- if (w.mini && w.mini.wallet === provider && fc && fc.context) return true;
652
- if (w.ethereum === provider && fc && fc.context) return true;
653
- } catch {
654
- // ignore: optional Farcaster detection
655
- }
656
- return false;
657
- })();
658
-
659
- if (isFarcasterWallet) {
660
- try {
661
- const hexMsg = toHexUtf8(message);
662
- signature = await provider.request({ method: 'personal_sign', params: [hexMsg, walletAddress] });
663
- } catch (e) {
664
- // Fall through
665
- }
666
- }
667
-
668
- if (!signature) {
669
- try {
670
- signature = await provider.request({ method: 'personal_sign', params: [message, walletAddress] });
671
- } catch (e) {
672
- const msg = String(e && (e.message || e.reason) || e || '').toLowerCase();
673
- const errCode = (e && (e.code || (e.error && e.error.code))) || null;
674
- const needsHex = /byte|bytes|invalid byte sequence|encoding|non-hex/i.test(msg);
675
-
676
- const methodUnsupported = (
677
- /method.*not.*supported|unsupported|not implemented|method not found|unknown method|does not support/i.test(msg) ||
678
- errCode === -32601 ||
679
- errCode === 4200 ||
680
- (msg.includes('personal_sign') && msg.includes('not')) ||
681
- (msg.includes('request method') && msg.includes('not supported'))
682
- );
683
-
684
- if (methodUnsupported) {
685
- this._log('personal_sign not supported; attempting eth_sign fallback');
686
- try {
687
- const enc = new TextEncoder();
688
- const bytes = enc.encode(message);
689
- const prefix = `\x19Ethereum Signed Message:\n${bytes.length}`;
690
- const full = new Uint8Array(prefix.length + bytes.length);
691
- for (let i = 0; i < prefix.length; i++) full[i] = prefix.charCodeAt(i);
692
- full.set(bytes, prefix.length);
693
- let payloadHex = '0x';
694
- for (let i = 0; i < full.length; i++) payloadHex += full[i].toString(16).padStart(2, '0');
695
- try {
696
- if (typeof window !== 'undefined') window.__NEUS_ALLOW_ETH_SIGN__ = true;
697
- } catch {
698
- // ignore
699
- }
700
- signature = await provider.request({ method: 'eth_sign', params: [walletAddress, payloadHex], neusAllowEthSign: true });
701
- try {
702
- if (typeof window !== 'undefined') delete window.__NEUS_ALLOW_ETH_SIGN__;
703
- } catch {
704
- // ignore
705
- }
706
- } catch (fallbackErr) {
707
- this._log('eth_sign fallback failed', { message: fallbackErr?.message || String(fallbackErr) });
708
- try {
709
- if (typeof window !== 'undefined') delete window.__NEUS_ALLOW_ETH_SIGN__;
710
- } catch {
711
- // ignore
712
- }
713
- throw e;
714
- }
715
- } else if (needsHex) {
716
- this._log('Retrying personal_sign with hex-encoded message');
717
- const hexMsg = toHexUtf8(message);
718
- signature = await provider.request({ method: 'personal_sign', params: [hexMsg, walletAddress] });
719
- } else {
720
- throw e;
721
- }
722
- }
723
- }
724
- } catch (error) {
725
- if (error.code === 4001) {
726
- throw new ValidationError('User rejected the signature request. Signature is required to create proofs.');
727
- }
728
- throw new ValidationError(`Failed to sign verification message: ${error.message}`);
729
- }
730
-
731
- return this.verify({
732
- verifierIds,
733
- data: verificationData,
734
- walletAddress,
735
- signature,
736
- signedTimestamp,
737
- options
738
- });
739
- }
740
-
741
- const {
742
- verifierIds,
743
- data,
744
- walletAddress,
745
- signature,
746
- signedTimestamp,
747
- chainId,
748
- chain,
749
- signatureMethod,
750
- options = {}
751
- } = params;
752
-
753
- const resolvedChainId = chainId || (chain ? null : NEUS_CONSTANTS.HUB_CHAIN_ID);
754
-
755
- // Normalize verifier IDs
756
- const normalizeVerifierId = (id) => {
757
- if (typeof id !== 'string') return id;
758
- const match = id.match(/^(.*)@\d+$/);
759
- return match ? match[1] : id;
760
- };
761
- const normalizedVerifierIds = Array.isArray(verifierIds) ? verifierIds.map(normalizeVerifierId) : [];
762
-
763
- // Validate required parameters
764
- if (!normalizedVerifierIds || normalizedVerifierIds.length === 0) {
765
- throw new ValidationError('verifierIds array is required');
766
- }
767
- if (!data || typeof data !== 'object') {
768
- throw new ValidationError('data object is required');
769
- }
770
- if (!walletAddress || typeof walletAddress !== 'string') {
771
- throw new ValidationError('walletAddress is required');
772
- }
773
- if (!signature) {
774
- throw new ValidationError('signature is required');
775
- }
776
- if (!signedTimestamp || typeof signedTimestamp !== 'number') {
777
- throw new ValidationError('signedTimestamp is required');
778
- }
779
- if (resolvedChainId !== null && typeof resolvedChainId !== 'number') {
780
- throw new ValidationError('chainId must be a number');
781
- }
782
-
783
- // Validate verifier data
784
- for (const verifierId of normalizedVerifierIds) {
785
- const validation = validateVerifierData(verifierId, data);
786
- if (!validation.valid) {
787
- throw new ValidationError(`Validation failed for verifier '${verifierId}': ${validation.error}`);
788
- }
789
- }
790
-
791
- // Build options payload (public surface)
792
- const optionsPayload = {
793
- ...(options && typeof options === 'object' ? options : {}),
794
- targetChains: Array.isArray(options?.targetChains) ? options.targetChains : [],
795
- // Privacy and storage options (defaults)
796
- privacyLevel: options?.privacyLevel || 'private',
797
- publicDisplay: options?.publicDisplay || false,
798
- storeOriginalContent: options?.storeOriginalContent || false
799
- };
800
- if (typeof options?.enableIpfs === 'boolean') optionsPayload.enableIpfs = options.enableIpfs;
801
-
802
- const requestData = {
803
- verifierIds: normalizedVerifierIds,
804
- data,
805
- walletAddress,
806
- signature,
807
- signedTimestamp,
808
- ...(resolvedChainId !== null && { chainId: resolvedChainId }),
809
- ...(chain && { chain }),
810
- ...(signatureMethod && { signatureMethod }),
811
- options: optionsPayload
812
- };
813
-
814
- // SECURITY: Do not send proof signatures in Authorization headers.
815
- // Signatures belong in the request body only (they are not bearer tokens).
816
- const response = await this._makeRequest('POST', '/api/v1/verification', requestData);
817
-
818
- if (!response.success) {
819
- throw new ApiError(`Verification failed: ${response.error?.message || 'Unknown error'}`, response.error);
820
- }
821
-
822
- return this._formatResponse(response);
823
- }
824
-
825
- // ============================================================================
826
- // STATUS AND UTILITY METHODS
827
- // ============================================================================
828
-
829
- /**
830
- * Get verification status
831
- *
832
- * @param {string} qHash - Verification ID (qHash or proofId)
833
- * @returns {Promise<Object>} Verification status and data
834
- *
835
- * @example
836
- * const result = await client.getStatus('0x...');
837
- * console.log('Status:', result.status);
838
- */
839
- async getStatus(qHash) {
840
- if (!qHash || typeof qHash !== 'string') {
841
- throw new ValidationError('qHash is required');
842
- }
843
- const response = await this._makeRequest('GET', `/api/v1/verification/status/${qHash}`);
844
-
845
- if (!response.success) {
846
- throw new ApiError(`Failed to get status: ${response.error?.message || 'Unknown error'}`, response.error);
847
- }
848
-
849
- return this._formatResponse(response);
850
- }
851
-
852
- /**
853
- * Get private proof status with wallet signature
854
- *
855
- * @param {string} qHash - Verification ID
856
- * @param {Object} wallet - Wallet provider (window.ethereum or ethers Wallet)
857
- * @returns {Promise<Object>} Private verification status and data
858
- *
859
- * @example
860
- * // Access private proof
861
- * const privateData = await client.getPrivateStatus(qHash, window.ethereum);
862
- */
863
- async getPrivateStatus(qHash, wallet = null) {
864
- if (!qHash || typeof qHash !== 'string') {
865
- throw new ValidationError('qHash is required');
866
- }
867
-
868
- // Auto-detect wallet if not provided
869
- if (!wallet) {
870
- if (typeof window === 'undefined' || !window.ethereum) {
871
- throw new ConfigurationError('No wallet provider available');
872
- }
873
- wallet = window.ethereum;
874
- }
875
-
876
- let walletAddress, provider;
877
-
878
- // Handle different wallet types
879
- if (wallet.address) {
880
- // ethers Wallet
881
- walletAddress = wallet.address;
882
- provider = wallet;
883
- } else if (wallet.selectedAddress || wallet.request) {
884
- // Browser provider (MetaMask, etc.)
885
- provider = wallet;
886
- if (wallet.selectedAddress) {
887
- walletAddress = wallet.selectedAddress;
888
- } else {
889
- const accounts = await provider.request({ method: 'eth_accounts' });
890
- if (!accounts || accounts.length === 0) {
891
- throw new ConfigurationError('No wallet accounts available');
892
- }
893
- walletAddress = accounts[0];
894
- }
895
- } else {
896
- throw new ConfigurationError('Invalid wallet provider');
897
- }
898
-
899
- const signedTimestamp = Date.now();
900
-
901
- // IMPORTANT: This must match the server's Standard Signing String owner-access check:
902
- // data.action='access_private_proof' + data.qHash, verifierIds=['ownership-basic'], chainId=default chainId.
903
- const message = constructVerificationMessage({
904
- walletAddress,
905
- signedTimestamp,
906
- data: { action: 'access_private_proof', qHash },
907
- verifierIds: ['ownership-basic'],
908
- chainId: NEUS_CONSTANTS.HUB_CHAIN_ID
909
- });
910
-
911
- let signature;
912
- try {
913
- if (provider.signMessage) {
914
- // ethers Wallet
915
- signature = await provider.signMessage(message);
916
- } else {
917
- // Browser provider
918
- signature = await provider.request({
919
- method: 'personal_sign',
920
- params: [message, walletAddress]
921
- });
922
- }
923
- } catch (error) {
924
- if (error.code === 4001) {
925
- throw new ValidationError('User rejected signature request');
926
- }
927
- throw new ValidationError(`Failed to sign message: ${error.message}`);
928
- }
929
-
930
- // Make request with signature headers (server reads x-wallet-address/x-signature/x-signed-timestamp)
931
- const response = await this._makeRequest('GET', `/api/v1/verification/status/${qHash}`, null, {
932
- 'x-wallet-address': walletAddress,
933
- 'x-signature': signature,
934
- 'x-signed-timestamp': signedTimestamp.toString()
935
- });
936
-
937
- if (!response.success) {
938
- throw new ApiError(
939
- `Failed to access private proof: ${response.error?.message || 'Unauthorized'}`,
940
- response.error
941
- );
942
- }
943
-
944
- return this._formatResponse(response);
945
- }
946
-
947
- /**
948
- * Check API health
949
- *
950
- * @returns {Promise<boolean>} True if API is healthy
951
- */
952
- async isHealthy() {
953
- try {
954
- const response = await this._makeRequest('GET', '/api/v1/health');
955
- return response.success === true;
956
- } catch {
957
- return false;
958
- }
959
- }
960
-
961
- /**
962
- * List available verifiers
963
- *
964
- * @returns {Promise<string[]>} Array of verifier IDs
965
- */
966
- async getVerifiers() {
967
- const response = await this._makeRequest('GET', '/api/v1/verification/verifiers');
968
- if (!response.success) {
969
- throw new ApiError(`Failed to get verifiers: ${response.error?.message || 'Unknown error'}`, response.error);
970
- }
971
- return Array.isArray(response.data) ? response.data : [];
972
- }
973
-
974
- /**
975
- * POLL PROOF STATUS - Wait for verification completion
976
- *
977
- * Polls the verification status until it reaches a terminal state (completed or failed).
978
- * Useful for providing real-time feedback to users during verification.
979
- *
980
- * @param {string} qHash - Verification ID to poll
981
- * @param {Object} [options] - Polling options
982
- * @param {number} [options.interval=5000] - Polling interval in ms
983
- * @param {number} [options.timeout=120000] - Total timeout in ms
984
- * @param {Function} [options.onProgress] - Progress callback function
985
- * @returns {Promise<Object>} Final verification status
986
- *
987
- * @example
988
- * const finalStatus = await client.pollProofStatus(qHash, {
989
- * interval: 3000,
990
- * timeout: 60000,
991
- * onProgress: (status) => {
992
- * console.log('Current status:', status.status);
993
- * if (status.crosschain) {
994
- * console.log(`Cross-chain: ${status.crosschain.finalized}/${status.crosschain.totalChains}`);
995
- * }
996
- * }
997
- * });
998
- */
999
- async pollProofStatus(qHash, options = {}) {
1000
- const {
1001
- interval = 5000,
1002
- timeout = 120000,
1003
- onProgress
1004
- } = options;
1005
-
1006
- if (!qHash || typeof qHash !== 'string') {
1007
- throw new ValidationError('qHash is required');
1008
- }
1009
-
1010
- const startTime = Date.now();
1011
- let consecutiveRateLimits = 0;
1012
-
1013
- while (Date.now() - startTime < timeout) {
1014
- try {
1015
- const status = await this.getStatus(qHash);
1016
- consecutiveRateLimits = 0;
1017
-
1018
- // Call progress callback if provided
1019
- if (onProgress && typeof onProgress === 'function') {
1020
- onProgress(status.data || status);
1021
- }
1022
-
1023
- // Check for terminal states
1024
- const currentStatus = status.data?.status || status.status;
1025
- if (this._isTerminalStatus(currentStatus)) {
1026
- this._log('Verification completed', { status: currentStatus, duration: Date.now() - startTime });
1027
- return status;
1028
- }
1029
-
1030
- // Wait before next poll
1031
- await new Promise(resolve => setTimeout(resolve, interval));
1032
-
1033
- } catch (error) {
1034
- this._log('Status poll error', error.message);
1035
- // Continue polling unless it's a validation error
1036
- if (error instanceof ValidationError) {
1037
- throw error;
1038
- }
1039
-
1040
- let nextDelay = interval;
1041
- if (error instanceof ApiError && Number(error.statusCode) === 429) {
1042
- consecutiveRateLimits += 1;
1043
- const exp = Math.min(6, consecutiveRateLimits); // cap growth
1044
- const base = Math.max(500, Number(interval) || 0);
1045
- const max = 30000; // 30s cap to keep UX responsive
1046
- const backoff = Math.min(max, base * Math.pow(2, exp));
1047
- const jitter = Math.floor(backoff * (0.5 + Math.random() * 0.5)); // 50-100%
1048
- nextDelay = jitter;
1049
- }
1050
-
1051
- await new Promise(resolve => setTimeout(resolve, nextDelay));
1052
- }
1053
- }
1054
-
1055
- throw new NetworkError(`Polling timeout after ${timeout}ms`, 'POLLING_TIMEOUT');
1056
- }
1057
-
1058
- /**
1059
- * DETECT CHAIN ID - Get current wallet chain
1060
- *
1061
- * @returns {Promise<number>} Current chain ID
1062
- */
1063
- async detectChainId() {
1064
- if (typeof window === 'undefined' || !window.ethereum) {
1065
- throw new ConfigurationError('No Web3 wallet detected');
1066
- }
1067
-
1068
- try {
1069
- const chainId = await window.ethereum.request({ method: 'eth_chainId' });
1070
- return parseInt(chainId, 16);
1071
- } catch (error) {
1072
- throw new NetworkError(`Failed to detect chain ID: ${error.message}`);
1073
- }
1074
- }
1075
-
1076
- /** Revoke your own proof (owner-signed) */
1077
- async revokeOwnProof(qHash, wallet) {
1078
- if (!qHash || typeof qHash !== 'string') {
1079
- throw new ValidationError('qHash is required');
1080
- }
1081
- const address = wallet?.address || await this._getWalletAddress();
1082
- const signedTimestamp = Date.now();
1083
- const hubChainId = NEUS_CONSTANTS.HUB_CHAIN_ID;
1084
-
1085
- const message = constructVerificationMessage({
1086
- walletAddress: address,
1087
- signedTimestamp,
1088
- data: { action: 'revoke_proof', qHash },
1089
- verifierIds: ['ownership-basic'],
1090
- chainId: hubChainId
1091
- });
1092
-
1093
- let signature;
1094
- try {
1095
- // UNIFIED SIGNING: Match utils/core.ts fallback order
1096
- const toHexUtf8 = (s) => {
1097
- const enc = new TextEncoder();
1098
- const bytes = enc.encode(s);
1099
- let hex = '0x';
1100
- for (let i = 0; i < bytes.length; i++) hex += bytes[i].toString(16).padStart(2, '0');
1101
- return hex;
1102
- };
1103
-
1104
- // Detect Farcaster wallet - requires hex-encoded messages FIRST
1105
- const isFarcasterWallet = (() => {
1106
- if (typeof window === 'undefined') return false;
1107
- try {
1108
- const w = window;
1109
- const fc = w.farcaster;
1110
- if (!fc || !fc.context) return false;
1111
- const fcProvider = fc.provider || fc.walletProvider || (fc.context && fc.context.walletProvider);
1112
- if (fcProvider === w.ethereum) return true;
1113
- if (w.mini && w.mini.wallet === w.ethereum && fc && fc.context) return true;
1114
- if (w.ethereum && fc && fc.context) return true;
1115
- } catch {
1116
- // ignore: optional Farcaster detection
1117
- }
1118
- return false;
1119
- })();
1120
-
1121
- if (isFarcasterWallet) {
1122
- try {
1123
- const hexMsg = toHexUtf8(message);
1124
- signature = await window.ethereum.request({ method: 'personal_sign', params: [hexMsg, address] });
1125
- } catch {
1126
- // ignore: fall through to standard signing
1127
- }
1128
- }
1129
-
1130
- if (!signature) {
1131
- signature = await window.ethereum.request({ method: 'personal_sign', params: [message, address] });
1132
- }
1133
- } catch (error) {
1134
- if (error.code === 4001) {
1135
- throw new ValidationError('User rejected revocation signature');
1136
- }
1137
- throw new ValidationError(`Failed to sign revocation: ${error.message}`);
1138
- }
1139
-
1140
- const res = await fetch(`${this.config.apiUrl}/api/v1/proofs/${qHash}/revoke-self`, {
1141
- method: 'POST',
1142
- // SECURITY: Do not put proof signatures into Authorization headers.
1143
- headers: { 'Content-Type': 'application/json' },
1144
- body: JSON.stringify({ walletAddress: address, signature, signedTimestamp })
1145
- });
1146
- const json = await res.json();
1147
- if (!json.success) {
1148
- throw new ApiError(json.error?.message || 'Failed to revoke proof', json.error);
1149
- }
1150
- return true;
1151
- }
1152
-
1153
- // ============================================================================
1154
- // PROOFS & GATING METHODS
1155
- // ============================================================================
1156
-
1157
- /**
1158
- * GET PROOFS BY WALLET - Fetch proofs for a wallet address
1159
- *
1160
- * @param {string} walletAddress - Wallet address (0x...) or DID (did:pkh:...)
1161
- * @param {Object} [options] - Filter options
1162
- * @param {number} [options.limit] - Max results (default: 50; higher limits require owner access)
1163
- * @param {number} [options.offset] - Pagination offset (default: 0)
1164
- * @returns {Promise<Object>} Proofs result
1165
- *
1166
- * @example
1167
- * const result = await client.getProofsByWallet('0x...', {
1168
- * limit: 50,
1169
- * offset: 0
1170
- * });
1171
- */
1172
- async getProofsByWallet(walletAddress, options = {}) {
1173
- if (!walletAddress || typeof walletAddress !== 'string') {
1174
- throw new ValidationError('walletAddress is required');
1175
- }
1176
-
1177
- const id = walletAddress.trim();
1178
- const pathId = /^0x[a-fA-F0-9]{40}$/i.test(id) ? id.toLowerCase() : id;
1179
-
1180
- const qs = [];
1181
- if (options.limit) qs.push(`limit=${encodeURIComponent(String(options.limit))}`);
1182
- if (options.offset) qs.push(`offset=${encodeURIComponent(String(options.offset))}`);
1183
-
1184
- const query = qs.length ? `?${qs.join('&')}` : '';
1185
- const response = await this._makeRequest(
1186
- 'GET',
1187
- `/api/v1/proofs/byWallet/${encodeURIComponent(pathId)}${query}`
1188
- );
1189
-
1190
- if (!response.success) {
1191
- throw new ApiError(`Failed to get proofs: ${response.error?.message || 'Unknown error'}`, response.error);
1192
- }
1193
-
1194
- // Normalize response structure
1195
- const proofs = response.data?.proofs || response.data || response.proofs || [];
1196
- return {
1197
- success: true,
1198
- proofs: Array.isArray(proofs) ? proofs : [],
1199
- totalCount: response.data?.totalCount ?? proofs.length,
1200
- hasMore: Boolean(response.data?.hasMore),
1201
- nextOffset: response.data?.nextOffset ?? null
1202
- };
1203
- }
1204
-
1205
- /**
1206
- * Get proofs by wallet (owner access)
1207
- *
1208
- * Signs an owner-access intent and requests private proofs via signature headers.
1209
- *
1210
- * @param {string} walletAddress - Wallet address (0x...) or DID (did:pkh:...)
1211
- * @param {Object} [options]
1212
- * @param {number} [options.limit] - Max results (server enforces caps)
1213
- * @param {number} [options.offset] - Pagination offset
1214
- * @param {Object} [wallet] - Optional injected wallet/provider (MetaMask/ethers Wallet)
1215
- */
1216
- async getPrivateProofsByWallet(walletAddress, options = {}, wallet = null) {
1217
- if (!walletAddress || typeof walletAddress !== 'string') {
1218
- throw new ValidationError('walletAddress is required');
1219
- }
1220
-
1221
- const id = walletAddress.trim();
1222
- const pathId = /^0x[a-fA-F0-9]{40}$/i.test(id) ? id.toLowerCase() : id;
1223
-
1224
- // Auto-detect wallet if not provided
1225
- if (!wallet) {
1226
- if (typeof window === 'undefined' || !window.ethereum) {
1227
- throw new ConfigurationError('No wallet provider available');
1228
- }
1229
- wallet = window.ethereum;
1230
- }
1231
-
1232
- let signerWalletAddress, provider;
1233
- if (wallet.address) {
1234
- signerWalletAddress = wallet.address;
1235
- provider = wallet;
1236
- } else if (wallet.selectedAddress || wallet.request) {
1237
- provider = wallet;
1238
- if (wallet.selectedAddress) {
1239
- signerWalletAddress = wallet.selectedAddress;
1240
- } else {
1241
- const accounts = await provider.request({ method: 'eth_accounts' });
1242
- if (!accounts || accounts.length === 0) {
1243
- throw new ConfigurationError('No wallet accounts available');
1244
- }
1245
- signerWalletAddress = accounts[0];
1246
- }
1247
- } else {
1248
- throw new ConfigurationError('Invalid wallet provider');
1249
- }
1250
-
1251
- const signedTimestamp = Date.now();
1252
- const message = constructVerificationMessage({
1253
- walletAddress: signerWalletAddress,
1254
- signedTimestamp,
1255
- data: { action: 'access_private_proofs_by_wallet', walletAddress: signerWalletAddress.toLowerCase() },
1256
- verifierIds: ['ownership-basic'],
1257
- chainId: NEUS_CONSTANTS.HUB_CHAIN_ID
1258
- });
1259
-
1260
- let signature;
1261
- try {
1262
- if (provider.signMessage) {
1263
- signature = await provider.signMessage(message);
1264
- } else {
1265
- signature = await provider.request({
1266
- method: 'personal_sign',
1267
- params: [message, signerWalletAddress]
1268
- });
1269
- }
1270
- } catch (error) {
1271
- if (error.code === 4001) {
1272
- throw new ValidationError('User rejected signature request');
1273
- }
1274
- throw new ValidationError(`Failed to sign message: ${error.message}`);
1275
- }
1276
-
1277
- const qs = [];
1278
- if (options.limit) qs.push(`limit=${encodeURIComponent(String(options.limit))}`);
1279
- if (options.offset) qs.push(`offset=${encodeURIComponent(String(options.offset))}`);
1280
- const query = qs.length ? `?${qs.join('&')}` : '';
1281
-
1282
- const response = await this._makeRequest('GET', `/api/v1/proofs/byWallet/${encodeURIComponent(pathId)}${query}`, null, {
1283
- 'x-wallet-address': signerWalletAddress,
1284
- 'x-signature': signature,
1285
- 'x-signed-timestamp': signedTimestamp.toString()
1286
- });
1287
-
1288
- if (!response.success) {
1289
- throw new ApiError(`Failed to get proofs: ${response.error?.message || 'Unauthorized'}`, response.error);
1290
- }
1291
-
1292
- const proofs = response.data?.proofs || response.data || response.proofs || [];
1293
- return {
1294
- success: true,
1295
- proofs: Array.isArray(proofs) ? proofs : [],
1296
- totalCount: response.data?.totalCount ?? proofs.length,
1297
- hasMore: Boolean(response.data?.hasMore),
1298
- nextOffset: response.data?.nextOffset ?? null
1299
- };
1300
- }
1301
-
1302
- /**
1303
- * GATE CHECK (API) - Minimal eligibility check
1304
- *
1305
- * Calls the public gate endpoint and returns a **minimal** yes/no response
1306
- * against **public + discoverable** proofs only.
1307
- *
1308
- * Prefer this over `checkGate()` for server-side integrations that want the
1309
- * smallest, most stable surface area (and do NOT need full proof payloads).
1310
- *
1311
- * @param {Object} params - Gate check query params
1312
- * @param {string} params.address - Wallet address to check (0x...)
1313
- * @param {Array<string>|string} [params.verifierIds] - Verifier IDs to match (array or comma-separated)
1314
- * @param {boolean} [params.requireAll] - Require all verifierIds on a single proof
1315
- * @param {number} [params.minCount] - Minimum number of matching proofs
1316
- * @param {number} [params.sinceDays] - Optional time window in days
1317
- * @param {number} [params.since] - Optional unix timestamp in ms (lower bound)
1318
- * @param {number} [params.limit] - Max rows to scan (server may clamp)
1319
- * @returns {Promise<Object>} API response ({ success, data })
1320
- */
1321
- async gateCheck(params = {}) {
1322
- const address = (params.address || '').toString();
1323
- if (!address || !/^0x[a-fA-F0-9]{40}$/i.test(address)) {
1324
- throw new ValidationError('Valid address is required');
1325
- }
1326
-
1327
- // Build query string safely (stringify all values; allow arrays for common fields)
1328
- const qs = new URLSearchParams();
1329
- qs.set('address', address);
1330
-
1331
- const setIfPresent = (key, value) => {
1332
- if (value === undefined || value === null) return;
1333
- const str = typeof value === 'string' ? value : String(value);
1334
- if (str.length === 0) return;
1335
- qs.set(key, str);
1336
- };
1337
-
1338
- const setBoolIfPresent = (key, value) => {
1339
- if (value === undefined || value === null) return;
1340
- qs.set(key, value ? 'true' : 'false');
1341
- };
1342
-
1343
- const setCsvIfPresent = (key, value) => {
1344
- if (value === undefined || value === null) return;
1345
- if (Array.isArray(value)) {
1346
- const items = value.map(v => String(v).trim()).filter(Boolean);
1347
- if (items.length) qs.set(key, items.join(','));
1348
- return;
1349
- }
1350
- setIfPresent(key, value);
1351
- };
1352
-
1353
- // Common filters
1354
- setCsvIfPresent('verifierIds', params.verifierIds);
1355
- setBoolIfPresent('requireAll', params.requireAll);
1356
- setIfPresent('minCount', params.minCount);
1357
- setIfPresent('sinceDays', params.sinceDays);
1358
- setIfPresent('since', params.since);
1359
- setIfPresent('limit', params.limit);
1360
-
1361
- // Common match filters (optional)
1362
- setIfPresent('referenceType', params.referenceType);
1363
- setIfPresent('referenceId', params.referenceId);
1364
- setIfPresent('tag', params.tag);
1365
- setCsvIfPresent('tags', params.tags);
1366
- setIfPresent('contentType', params.contentType);
1367
- setIfPresent('content', params.content);
1368
- setIfPresent('contentHash', params.contentHash);
1369
-
1370
- // Asset/ownership filters
1371
- setIfPresent('contractAddress', params.contractAddress);
1372
- setIfPresent('tokenId', params.tokenId);
1373
- setIfPresent('chainId', params.chainId);
1374
- setIfPresent('domain', params.domain);
1375
- setIfPresent('minBalance', params.minBalance);
1376
-
1377
- // Wallet filters
1378
- setIfPresent('provider', params.provider);
1379
- setIfPresent('ownerAddress', params.ownerAddress);
1380
- setIfPresent('riskLevel', params.riskLevel);
1381
- setBoolIfPresent('sanctioned', params.sanctioned);
1382
- setBoolIfPresent('poisoned', params.poisoned);
1383
- setIfPresent('primaryWalletAddress', params.primaryWalletAddress);
1384
- setIfPresent('secondaryWalletAddress', params.secondaryWalletAddress);
1385
- setIfPresent('verificationMethod', params.verificationMethod);
1386
-
1387
- const response = await this._makeRequest('GET', `/api/v1/proofs/gate/check?${qs.toString()}`);
1388
- if (!response.success) {
1389
- throw new ApiError(`Gate check failed: ${response.error?.message || 'Unknown error'}`, response.error);
1390
- }
1391
- return response;
1392
- }
1393
-
1394
- /**
1395
- * CHECK GATE - Evaluate requirements against existing proofs
1396
- *
1397
- * Gate-first verification: checks if wallet has valid proofs satisfying requirements.
1398
- * Returns which requirements are missing/expired.
1399
- *
1400
- * @param {Object} params - Gate check parameters
1401
- * @param {string} params.walletAddress - Target wallet
1402
- * @param {Array<Object>} params.requirements - Array of gate requirements
1403
- * @param {string} params.requirements[].verifierId - Required verifier ID
1404
- * @param {number} [params.requirements[].maxAgeMs] - Max proof age in ms (TTL)
1405
- * @param {boolean} [params.requirements[].optional] - If true, not required for gate satisfaction
1406
- * @param {number} [params.requirements[].minCount] - Minimum proofs needed (default: 1)
1407
- * @param {Object} [params.requirements[].match] - Verifier data match criteria
1408
- * Supports nested fields: 'reference.type', 'reference.id', 'content', 'contentHash', 'input.*', 'license.*'
1409
- * Supports verifier-specific:
1410
- * - NFT/Token: 'contractAddress', 'tokenId', 'chainId', 'ownerAddress', 'minBalance'
1411
- * - DNS: 'domain', 'walletAddress'
1412
- * - Wallet-link: 'primaryWalletAddress', 'secondaryWalletAddress', 'chainId'
1413
- * - Contract-ownership: 'contractAddress', 'chainId', 'owner', 'verificationMethod'
1414
- * Note: contentHash matching uses approximation in SDK; for exact SHA-256 matching, use backend API
1415
- * @param {Array} [params.proofs] - Pre-fetched proofs (skip API call)
1416
- * @returns {Promise<Object>} Gate result with satisfied, missing, existing
1417
- *
1418
- * @example
1419
- * // Basic gate check
1420
- * const result = await client.checkGate({
1421
- * walletAddress: '0x...',
1422
- * requirements: [
1423
- * { verifierId: 'nft-ownership', match: { contractAddress: '0x...' } }
1424
- * ]
1425
- * });
1426
- */
1427
- async checkGate(params) {
1428
- const { walletAddress, requirements, proofs: preloadedProofs } = params;
1429
-
1430
- if (!walletAddress || !/^0x[a-fA-F0-9]{40}$/i.test(walletAddress)) {
1431
- throw new ValidationError('Valid walletAddress is required');
1432
- }
1433
- if (!Array.isArray(requirements) || requirements.length === 0) {
1434
- throw new ValidationError('requirements array is required and must not be empty');
1435
- }
1436
-
1437
- // Use preloaded proofs or fetch from API
1438
- let proofs = preloadedProofs;
1439
- if (!proofs) {
1440
- const result = await this.getProofsByWallet(walletAddress, { limit: 100 });
1441
- proofs = result.proofs;
1442
- }
1443
-
1444
- const now = Date.now();
1445
- const existing = {};
1446
- const missing = [];
1447
-
1448
- for (const req of requirements) {
1449
- const { verifierId, maxAgeMs, optional = false, minCount = 1, match } = req;
1450
-
1451
- // Find matching proofs for this verifier
1452
- const matchingProofs = (proofs || []).filter(proof => {
1453
- // Must have this verifier and be verified
1454
- const verifiedVerifiers = proof.verifiedVerifiers || [];
1455
- const verifier = verifiedVerifiers.find(
1456
- v => v.verifierId === verifierId && v.verified === true
1457
- );
1458
- if (!verifier) return false;
1459
-
1460
- // Check proof is not revoked
1461
- if (proof.revokedAt) return false;
1462
-
1463
- // Check TTL if specified
1464
- if (maxAgeMs) {
1465
- const proofTimestamp = proof.createdAt || proof.signedTimestamp || 0;
1466
- const proofAge = now - proofTimestamp;
1467
- if (proofAge > maxAgeMs) return false;
1468
- }
1469
-
1470
- // Check custom match criteria if specified
1471
- if (match && typeof match === 'object') {
1472
- const data = verifier.data || {};
1473
- const input = data.input || {}; // NFT/token verifiers store fields in input
1474
-
1475
- for (const [key, expected] of Object.entries(match)) {
1476
- let actualValue = null;
1477
-
1478
- // Handle nested field access
1479
- if (key.includes('.')) {
1480
- const parts = key.split('.');
1481
- let current = data;
1482
-
1483
- if (parts[0] === 'input' && input) {
1484
- current = input;
1485
- parts.shift();
1486
- }
1487
-
1488
- for (const part of parts) {
1489
- if (current && typeof current === 'object' && part in current) {
1490
- current = current[part];
1491
- } else {
1492
- current = undefined;
1493
- break;
1494
- }
1495
- }
1496
- actualValue = current;
1497
- } else {
1498
- actualValue = input[key] || data[key];
1499
- }
1500
-
1501
- if (key === 'content' && actualValue === undefined) {
1502
- actualValue = data.reference?.id || data.content;
1503
- }
1504
-
1505
- // Special handling for verifier-specific fields
1506
- if (actualValue === undefined) {
1507
- if (key === 'contractAddress') {
1508
- actualValue = input.contractAddress || data.contractAddress;
1509
- } else if (key === 'tokenId') {
1510
- actualValue = input.tokenId || data.tokenId;
1511
- } else if (key === 'chainId') {
1512
- actualValue = input.chainId || data.chainId;
1513
- } else if (key === 'ownerAddress') {
1514
- actualValue = input.ownerAddress || data.owner || data.walletAddress;
1515
- } else if (key === 'minBalance') {
1516
- actualValue = input.minBalance || data.onChainData?.requiredMinBalance || data.minBalance;
1517
- } else if (key === 'primaryWalletAddress') {
1518
- actualValue = data.primaryWalletAddress;
1519
- } else if (key === 'secondaryWalletAddress') {
1520
- actualValue = data.secondaryWalletAddress;
1521
- } else if (key === 'verificationMethod') {
1522
- actualValue = data.verificationMethod;
1523
- } else if (key === 'domain') {
1524
- actualValue = data.domain;
1525
- }
1526
- }
1527
-
1528
- // Content hash check (approximation)
1529
- if (key === 'contentHash' && actualValue === undefined && data.content) {
1530
- try {
1531
- // Simple hash approximation for non-crypto envs
1532
- let hash = 0;
1533
- const str = String(data.content);
1534
- for (let i = 0; i < str.length; i++) {
1535
- const char = str.charCodeAt(i);
1536
- hash = ((hash << 5) - hash) + char;
1537
- hash = hash & hash;
1538
- }
1539
- actualValue = '0x' + Math.abs(hash).toString(16).padStart(64, '0').substring(0, 66);
1540
- } catch {
1541
- actualValue = String(data.content);
1542
- }
1543
- }
1544
-
1545
- let normalizedActual = actualValue;
1546
- let normalizedExpected = expected;
1547
-
1548
- if (actualValue === undefined || actualValue === null) {
1549
- return false;
1550
- }
1551
-
1552
- if (key === 'chainId' || (key === 'tokenId' && (typeof actualValue === 'number' || !isNaN(Number(actualValue))))) {
1553
- normalizedActual = Number(actualValue);
1554
- normalizedExpected = Number(expected);
1555
- if (isNaN(normalizedActual) || isNaN(normalizedExpected)) return false;
1556
- }
1557
- else if (typeof actualValue === 'string' && (actualValue.startsWith('0x') || actualValue.length > 20)) {
1558
- normalizedActual = actualValue.toLowerCase();
1559
- normalizedExpected = typeof expected === 'string' ? String(expected).toLowerCase() : expected;
1560
- }
1561
- else {
1562
- normalizedActual = actualValue;
1563
- normalizedExpected = expected;
1564
- }
1565
-
1566
- if (normalizedActual !== normalizedExpected) {
1567
- return false;
1568
- }
1569
- }
1570
- }
1571
-
1572
- return true;
1573
- });
1574
-
1575
- if (matchingProofs.length >= minCount) {
1576
- const sorted = matchingProofs.sort((a, b) => (b.createdAt || 0) - (a.createdAt || 0));
1577
- existing[verifierId] = sorted[0];
1578
- } else if (!optional) {
1579
- missing.push(req);
1580
- }
1581
- }
1582
-
1583
- return {
1584
- satisfied: missing.length === 0,
1585
- missing,
1586
- existing,
1587
- allProofs: proofs
1588
- };
1589
- }
1590
-
1591
- // ============================================================================
1592
- // PRIVATE UTILITY METHODS
1593
- // ============================================================================
1594
-
1595
- /**
1596
- * Get connected wallet address
1597
- * @private
1598
- */
1599
- async _getWalletAddress() {
1600
- if (typeof window === 'undefined' || !window.ethereum) {
1601
- throw new ConfigurationError('No Web3 wallet detected');
1602
- }
1603
-
1604
- const accounts = await window.ethereum.request({ method: 'eth_accounts' });
1605
- if (!accounts || accounts.length === 0) {
1606
- throw new ConfigurationError('No wallet accounts available');
1607
- }
1608
-
1609
- return accounts[0];
1610
- }
1611
-
1612
- /**
1613
- * Make HTTP request to API
1614
- * @private
1615
- */
1616
- async _makeRequest(method, endpoint, data = null, headersOverride = null) {
1617
- const url = `${this.baseUrl}${endpoint}`;
1618
-
1619
- const controller = new AbortController();
1620
- const timeoutId = setTimeout(() => controller.abort(), this.config.timeout);
1621
-
1622
- const options = {
1623
- method,
1624
- headers: { ...this.defaultHeaders, ...(headersOverride || {}) },
1625
- signal: controller.signal
1626
- };
1627
-
1628
- if (data && (method === 'POST' || method === 'PUT' || method === 'PATCH')) {
1629
- options.body = JSON.stringify(data);
1630
- }
1631
-
1632
- this._log(`${method} ${endpoint}`, data ? { requestBodyKeys: Object.keys(data) } : {});
1633
-
1634
- try {
1635
- const response = await fetch(url, options);
1636
- clearTimeout(timeoutId);
1637
-
1638
- let responseData;
1639
- try {
1640
- responseData = await response.json();
1641
- } catch {
1642
- responseData = { error: { message: 'Invalid JSON response' } };
1643
- }
1644
-
1645
- if (!response.ok) {
1646
- throw ApiError.fromResponse(response, responseData);
1647
- }
1648
-
1649
- return responseData;
1650
-
1651
- } catch (error) {
1652
- clearTimeout(timeoutId);
1653
-
1654
- if (error.name === 'AbortError') {
1655
- throw new NetworkError(`Request timeout after ${this.config.timeout}ms`);
1656
- }
1657
-
1658
- if (error instanceof ApiError) {
1659
- throw error;
1660
- }
1661
-
1662
- throw new NetworkError(`Network error: ${error.message}`);
1663
- }
1664
- }
1665
-
1666
- /**
1667
- * Format API response for consistent structure
1668
- * @private
1669
- */
1670
- _formatResponse(response) {
1671
- const qHash = response?.data?.qHash ||
1672
- response?.qHash ||
1673
- response?.data?.resource?.qHash ||
1674
- response?.data?.id;
1675
-
1676
- const status = response?.data?.status ||
1677
- response?.status ||
1678
- response?.data?.resource?.status ||
1679
- (response?.success ? 'completed' : 'unknown');
1680
-
1681
- return {
1682
- success: response.success,
1683
- qHash,
1684
- status,
1685
- data: response.data,
1686
- message: response.message,
1687
- timestamp: Date.now(),
1688
- statusUrl: qHash ? `${this.baseUrl}/api/v1/verification/status/${qHash}` : null
1689
- };
1690
- }
1691
-
1692
- /**
1693
- * Check if status is terminal (completed or failed)
1694
- * @private
1695
- */
1696
- _isTerminalStatus(status) {
1697
- const terminalStates = [
1698
- 'verified',
1699
- 'verified_crosschain_propagated',
1700
- 'completed_all_successful',
1701
- 'failed',
1702
- 'error',
1703
- 'rejected',
1704
- 'cancelled'
1705
- ];
1706
- return typeof status === 'string' && terminalStates.some(state => status.includes(state));
1707
- }
1708
-
1709
- /** SDK logging (opt-in via config.enableLogging) */
1710
- _log(message, data = {}) {
1711
- if (this.config.enableLogging) {
1712
- try {
1713
- const prefix = '[neus/sdk]';
1714
- if (data && Object.keys(data).length > 0) {
1715
- // eslint-disable-next-line no-console
1716
- console.log(prefix, message, data);
1717
- } else {
1718
- // eslint-disable-next-line no-console
1719
- console.log(prefix, message);
1720
- }
1721
- } catch {
1722
- // ignore logging failures
1723
- }
1724
- }
1725
- }
1726
- }
1727
-
1728
- // Export the constructVerificationMessage function for advanced use
1729
- export { constructVerificationMessage };
346
+ if (this.config.extraHeaders && typeof this.config.extraHeaders === 'object') {
347
+ for (const [k, v] of Object.entries(this.config.extraHeaders)) {
348
+ if (!k || v === undefined || v === null) continue;
349
+ const key = String(k).trim();
350
+ const value = String(v).trim();
351
+ if (!key || !value) continue;
352
+ this.defaultHeaders[key] = value;
353
+ }
354
+ }
355
+ try {
356
+ if (typeof window !== 'undefined' && window.location && window.location.origin) {
357
+ this.defaultHeaders['X-Client-Origin'] = window.location.origin;
358
+ }
359
+ } catch {
360
+ // ignore: optional browser metadata header
361
+ }
362
+ }
363
+
364
+ _getHubChainId() {
365
+ const configured = Number(this.config?.hubChainId);
366
+ if (Number.isFinite(configured) && configured > 0) return Math.floor(configured);
367
+ return NEUS_CONSTANTS.HUB_CHAIN_ID;
368
+ }
369
+
370
+ _normalizeIdentity(value) {
371
+ let raw = String(value || '').trim();
372
+ if (!raw) return '';
373
+ const didMatch = raw.match(/^did:pkh:([^:]+):([^:]+):(.+)$/i);
374
+ if (didMatch && didMatch[3]) {
375
+ raw = String(didMatch[3]).trim();
376
+ }
377
+ return EVM_ADDRESS_RE.test(raw) ? raw.toLowerCase() : raw;
378
+ }
379
+
380
+ _inferChainForAddress(address, explicitChain) {
381
+ if (typeof explicitChain === 'string' && explicitChain.includes(':')) return explicitChain.trim();
382
+ const raw = String(address || '').trim();
383
+ const didMatch = raw.match(/^did:pkh:([^:]+):([^:]+):(.+)$/i);
384
+ if (didMatch && didMatch[1] && didMatch[2]) {
385
+ return `${didMatch[1]}:${didMatch[2]}`;
386
+ }
387
+ if (EVM_ADDRESS_RE.test(raw)) {
388
+ return `eip155:${this._getHubChainId()}`;
389
+ }
390
+ // Default non-EVM chain for universal wallet paths when caller omits chain.
391
+ return 'solana:mainnet';
392
+ }
393
+
394
+ async _resolveWalletSigner(wallet) {
395
+ if (!wallet) {
396
+ throw new ConfigurationError('No wallet provider available');
397
+ }
398
+
399
+ if (wallet.address) {
400
+ return { signerWalletAddress: wallet.address, provider: wallet };
401
+ }
402
+ if (wallet.publicKey && typeof wallet.publicKey.toBase58 === 'function') {
403
+ return { signerWalletAddress: wallet.publicKey.toBase58(), provider: wallet };
404
+ }
405
+ if (typeof wallet.getAddress === 'function') {
406
+ const signerWalletAddress = await wallet.getAddress().catch(() => null);
407
+ return { signerWalletAddress, provider: wallet };
408
+ }
409
+ if (wallet.selectedAddress || wallet.request) {
410
+ const provider = wallet;
411
+ if (wallet.selectedAddress) {
412
+ return { signerWalletAddress: wallet.selectedAddress, provider };
413
+ }
414
+ const accounts = await provider.request({ method: 'eth_accounts' });
415
+ if (!accounts || accounts.length === 0) {
416
+ throw new ConfigurationError('No wallet accounts available');
417
+ }
418
+ return { signerWalletAddress: accounts[0], provider };
419
+ }
420
+
421
+ throw new ConfigurationError('Invalid wallet provider');
422
+ }
423
+
424
+ _getDefaultBrowserWallet() {
425
+ if (typeof window === 'undefined') return null;
426
+ return window.ethereum || window.solana || (window.phantom && window.phantom.solana) || null;
427
+ }
428
+
429
+ async _buildPrivateGateAuth({ address, wallet, chain, signatureMethod } = {}) {
430
+ const providerWallet = wallet || this._getDefaultBrowserWallet();
431
+ const { signerWalletAddress, provider } = await this._resolveWalletSigner(providerWallet);
432
+ if (!signerWalletAddress || typeof signerWalletAddress !== 'string') {
433
+ throw new ConfigurationError('No wallet accounts available');
434
+ }
435
+
436
+ const normalizedSigner = this._normalizeIdentity(signerWalletAddress);
437
+ const normalizedAddress = this._normalizeIdentity(address);
438
+ if (!normalizedSigner || normalizedSigner !== normalizedAddress) {
439
+ throw new ValidationError('wallet must match address when includePrivate=true');
440
+ }
441
+
442
+ const signerIsEvm = EVM_ADDRESS_RE.test(normalizedSigner);
443
+ const resolvedChain = this._inferChainForAddress(normalizedSigner, chain);
444
+ const resolvedSignatureMethod = (typeof signatureMethod === 'string' && signatureMethod.trim())
445
+ ? signatureMethod.trim()
446
+ : (signerIsEvm ? 'eip191' : 'ed25519');
447
+
448
+ const signedTimestamp = Date.now();
449
+ const message = constructVerificationMessage({
450
+ walletAddress: signerWalletAddress,
451
+ signedTimestamp,
452
+ data: { action: 'gate_check_private_proofs', walletAddress: normalizedAddress },
453
+ verifierIds: ['ownership-basic'],
454
+ ...(signerIsEvm ? { chainId: this._getHubChainId() } : { chain: resolvedChain })
455
+ });
456
+
457
+ let signature;
458
+ try {
459
+ signature = await signMessage({
460
+ provider,
461
+ message,
462
+ walletAddress: signerWalletAddress,
463
+ ...(signerIsEvm ? {} : { chain: resolvedChain })
464
+ });
465
+ } catch (error) {
466
+ if (error.code === 4001) {
467
+ throw new ValidationError('User rejected signature request');
468
+ }
469
+ throw new ValidationError(`Failed to sign message: ${error.message}`);
470
+ }
471
+
472
+ return {
473
+ walletAddress: signerWalletAddress,
474
+ signature,
475
+ signedTimestamp,
476
+ ...(signerIsEvm ? {} : { chain: resolvedChain, signatureMethod: resolvedSignatureMethod })
477
+ };
478
+ }
479
+
480
+ async createGatePrivateAuth(params = {}) {
481
+ const address = (params.address || '').toString();
482
+ if (!validateUniversalAddress(address, params.chain)) {
483
+ throw new ValidationError('Valid address is required');
484
+ }
485
+ return this._buildPrivateGateAuth({
486
+ address,
487
+ wallet: params.wallet,
488
+ chain: params.chain,
489
+ signatureMethod: params.signatureMethod
490
+ });
491
+ }
492
+
493
+ /**
494
+ * Create a verification proof.
495
+ *
496
+ * Supports two paths:
497
+ * - **Auto:** Supply `verifier`, `content`, and/or `data` with an optional
498
+ * `wallet` provider. The SDK performs signing in the client.
499
+ * - **Manual:** Supply pre-signed `verifierIds`, `data`, `walletAddress`,
500
+ * `signature`, and `signedTimestamp`.
501
+ *
502
+ * @param {Object} params - Verification parameters
503
+ * @param {string} [params.verifier] - Verifier ID (auto path, e.g. 'ownership-basic')
504
+ * @param {string} [params.content] - Content to verify (auto path)
505
+ * @param {Object} [params.data] - Structured verification data
506
+ * @param {Object} [params.wallet] - Wallet provider (auto path)
507
+ * @param {Object} [params.options] - Additional options
508
+ * @param {Array<string>} [params.verifierIds] - Array of verifier IDs (manual path)
509
+ * @param {string} [params.walletAddress] - Wallet address that signed the request (manual path)
510
+ * @param {string} [params.signature] - EIP-191 signature (manual path)
511
+ * @param {number} [params.signedTimestamp] - Unix timestamp when signature was created (manual path)
512
+ * @param {number} [params.chainId] - EVM signing-context hint; when omitted, resolved to the NEUS protocol primary chain for signing
513
+ * @returns {Promise<Object>} Verification result with proofId
514
+ *
515
+ * @example
516
+ * // Auto path
517
+ * const proof = await client.verify({
518
+ * verifier: 'ownership-basic',
519
+ * content: 'Hello World',
520
+ * wallet: window.ethereum
521
+ * });
522
+ *
523
+ * @example
524
+ * // Manual path
525
+ * const proof = await client.verify({
526
+ * verifierIds: ['ownership-basic'],
527
+ * data: { content: "My content", owner: walletAddress },
528
+ * walletAddress: '0x...',
529
+ * signature: '0x...',
530
+ * signedTimestamp: Date.now(),
531
+ * options: { targetChains: [421614, 11155111] }
532
+ * });
533
+ */
534
+ async verify(params) {
535
+ // Auto path: if no manual signature fields but auto fields are provided, perform inline wallet flow
536
+ if ((!params?.signature || !params?.walletAddress) && (params?.verifier || params?.content || params?.data)) {
537
+ const { content, verifier = 'ownership-basic', data = null, wallet = null, options = {} } = params;
538
+
539
+ // ownership-basic: content required for simple mode, but data param mode allows contentHash or reference
540
+ if (verifier === 'ownership-basic' && !data && (!content || typeof content !== 'string')) {
541
+ throw new ValidationError('content is required and must be a string (or use data param with owner + reference)');
542
+ }
543
+
544
+ let verifierCatalog = FALLBACK_PUBLIC_VERIFIER_CATALOG;
545
+ try {
546
+ const discovered = await this.getVerifierCatalog();
547
+ if (discovered && discovered.metadata && Object.keys(discovered.metadata).length > 0) {
548
+ verifierCatalog = discovered.metadata;
549
+ }
550
+ } catch {
551
+ // Fallback keeps SDK usable if verifier catalog endpoint is temporarily unavailable.
552
+ }
553
+ const validVerifiers = Object.keys(verifierCatalog);
554
+ if (!validVerifiers.includes(verifier)) {
555
+ throw new ValidationError(`Invalid verifier '${verifier}'. Must be one of: ${validVerifiers.join(', ')}.`);
556
+ }
557
+
558
+ if (verifierCatalog?.[verifier]?.supportsDirectApi === false) {
559
+ const hostedCheckoutUrl = options?.hostedCheckoutUrl || 'https://neus.network/verify';
560
+ throw new ValidationError(
561
+ `${verifier} requires hosted interactive checkout. Use VerifyGate or redirect to ${hostedCheckoutUrl}.`
562
+ );
563
+ }
564
+
565
+ // These verifiers require explicit data parameter (no auto-path)
566
+ const requiresDataParam = [
567
+ 'ownership-dns-txt',
568
+ 'wallet-link',
569
+ 'contract-ownership',
570
+ 'ownership-pseudonym',
571
+ 'wallet-risk',
572
+ 'agent-identity',
573
+ 'agent-delegation',
574
+ 'ai-content-moderation'
575
+ ];
576
+ if (requiresDataParam.includes(verifier)) {
577
+ if (!data || typeof data !== 'object') {
578
+ throw new ValidationError(`${verifier} requires explicit data parameter. Cannot use auto-path.`);
579
+ }
580
+ }
581
+
582
+ // Auto-detect wallet and get address
583
+ let walletAddress, provider;
584
+ if (wallet) {
585
+ walletAddress =
586
+ wallet.address ||
587
+ wallet.selectedAddress ||
588
+ wallet.walletAddress ||
589
+ (typeof wallet.getAddress === 'function' ? await wallet.getAddress() : null);
590
+ provider = wallet.provider || wallet;
591
+ if (!walletAddress && provider && typeof provider.request === 'function') {
592
+ const accounts = await provider.request({ method: 'eth_accounts' });
593
+ walletAddress = Array.isArray(accounts) ? accounts[0] : null;
594
+ }
595
+ } else {
596
+ if (typeof window === 'undefined' || !window.ethereum) {
597
+ throw new ConfigurationError('No Web3 wallet detected. Please install MetaMask or provide wallet parameter.');
598
+ }
599
+ await window.ethereum.request({ method: 'eth_requestAccounts' });
600
+ provider = window.ethereum;
601
+ const accounts = await provider.request({ method: 'eth_accounts' });
602
+ walletAddress = accounts[0];
603
+ }
604
+
605
+ // Prepare verification data based on verifier type
606
+ let verificationData;
607
+ if (verifier === 'ownership-basic') {
608
+ if (data && typeof data === 'object') {
609
+ // Data param mode: use provided data, inject owner if missing
610
+ verificationData = {
611
+ owner: data.owner || walletAddress,
612
+ reference: data.reference,
613
+ ...(data.content && { content: data.content }),
614
+ ...(data.contentHash && { contentHash: data.contentHash }),
615
+ ...(data.contentType && { contentType: data.contentType }),
616
+ ...(data.provenance && { provenance: data.provenance })
617
+ };
618
+ } else {
619
+ // Simple content mode: derive reference from content
620
+ verificationData = {
621
+ content: content,
622
+ owner: walletAddress,
623
+ reference: { type: 'other' }
624
+ };
625
+ }
626
+ } else if (verifier === 'token-holding') {
627
+ if (!data?.contractAddress) {
628
+ throw new ValidationError('token-holding requires contractAddress in data parameter');
629
+ }
630
+ if (data?.minBalance === null || data?.minBalance === undefined) {
631
+ throw new ValidationError('token-holding requires minBalance in data parameter');
632
+ }
633
+ if (typeof data?.chainId !== 'number') {
634
+ throw new ValidationError('token-holding requires chainId (number) in data parameter');
635
+ }
636
+ verificationData = {
637
+ ownerAddress: walletAddress,
638
+ contractAddress: data.contractAddress,
639
+ minBalance: data.minBalance,
640
+ chainId: data.chainId
641
+ };
642
+ } else if (verifier === 'nft-ownership') {
643
+ if (!data?.contractAddress) {
644
+ throw new ValidationError('nft-ownership requires contractAddress in data parameter');
645
+ }
646
+ if (data?.tokenId === null || data?.tokenId === undefined) {
647
+ throw new ValidationError('nft-ownership requires tokenId in data parameter');
648
+ }
649
+ if (typeof data?.chainId !== 'number') {
650
+ throw new ValidationError('nft-ownership requires chainId (number) in data parameter');
651
+ }
652
+ verificationData = {
653
+ ownerAddress: walletAddress,
654
+ contractAddress: data.contractAddress,
655
+ tokenId: data.tokenId,
656
+ chainId: data.chainId,
657
+ tokenType: data?.tokenType || 'erc721'
658
+ };
659
+ } else if (verifier === 'ownership-dns-txt') {
660
+ if (!data?.domain) {
661
+ throw new ValidationError('ownership-dns-txt requires domain in data parameter');
662
+ }
663
+ verificationData = {
664
+ domain: data.domain,
665
+ walletAddress: walletAddress
666
+ };
667
+ } else if (verifier === 'wallet-link') {
668
+ if (!data?.secondaryWalletAddress) {
669
+ throw new ValidationError('wallet-link requires secondaryWalletAddress in data parameter');
670
+ }
671
+ if (!data?.signature) {
672
+ throw new ValidationError('wallet-link requires signature in data parameter (signed by secondary wallet)');
673
+ }
674
+ if (typeof data?.chain !== 'string' || !/^[a-z0-9]+:[^\s]+$/.test(data.chain)) {
675
+ throw new ValidationError('wallet-link requires chain (namespace:reference) in data parameter');
676
+ }
677
+ if (typeof data?.signatureMethod !== 'string' || !data.signatureMethod.trim()) {
678
+ throw new ValidationError('wallet-link requires signatureMethod in data parameter');
679
+ }
680
+ verificationData = {
681
+ primaryWalletAddress: walletAddress,
682
+ secondaryWalletAddress: data.secondaryWalletAddress,
683
+ signature: data.signature,
684
+ chain: data.chain,
685
+ signatureMethod: data.signatureMethod,
686
+ signedTimestamp: data?.signedTimestamp || Date.now()
687
+ };
688
+ } else if (verifier === 'contract-ownership') {
689
+ if (!data?.contractAddress) {
690
+ throw new ValidationError('contract-ownership requires contractAddress in data parameter');
691
+ }
692
+ if (typeof data?.chainId !== 'number') {
693
+ throw new ValidationError('contract-ownership requires chainId (number) in data parameter');
694
+ }
695
+ verificationData = {
696
+ contractAddress: data.contractAddress,
697
+ walletAddress: walletAddress,
698
+ chainId: data.chainId,
699
+ ...(data?.method && { method: data.method })
700
+ };
701
+ } else if (verifier === 'agent-identity') {
702
+ if (!data?.agentId) {
703
+ throw new ValidationError('agent-identity requires agentId in data parameter');
704
+ }
705
+ verificationData = {
706
+ agentId: data.agentId,
707
+ agentWallet: data?.agentWallet || walletAddress,
708
+ ...(data?.agentLabel && { agentLabel: data.agentLabel }),
709
+ ...(data?.agentType && { agentType: data.agentType }),
710
+ ...(data?.description && { description: data.description }),
711
+ ...(data?.capabilities && { capabilities: data.capabilities }),
712
+ ...(data?.instructions && { instructions: data.instructions }),
713
+ ...(data?.skills && { skills: data.skills }),
714
+ ...(data?.services && { services: data.services })
715
+ };
716
+ } else if (verifier === 'agent-delegation') {
717
+ if (!data?.agentWallet) {
718
+ throw new ValidationError('agent-delegation requires agentWallet in data parameter');
719
+ }
720
+ verificationData = {
721
+ controllerWallet: data?.controllerWallet || walletAddress,
722
+ agentWallet: data.agentWallet,
723
+ ...(data?.agentId && { agentId: data.agentId }),
724
+ ...(data?.scope && { scope: data.scope }),
725
+ ...(data?.permissions && { permissions: data.permissions }),
726
+ ...(data?.maxSpend && { maxSpend: data.maxSpend }),
727
+ ...(data?.allowedPaymentTypes && { allowedPaymentTypes: data.allowedPaymentTypes }),
728
+ ...(data?.receiptDisclosure && { receiptDisclosure: data.receiptDisclosure }),
729
+ ...(data?.expiresAt && { expiresAt: data.expiresAt }),
730
+ ...(data?.instructions && { instructions: data.instructions }),
731
+ ...(data?.skills && { skills: data.skills })
732
+ };
733
+ } else if (verifier === 'ai-content-moderation') {
734
+ if (!data?.content) {
735
+ throw new ValidationError('ai-content-moderation requires content (base64) in data parameter');
736
+ }
737
+ if (!data?.contentType) {
738
+ throw new ValidationError('ai-content-moderation requires contentType (MIME type) in data parameter');
739
+ }
740
+ verificationData = {
741
+ content: data.content,
742
+ contentType: data.contentType,
743
+ ...(data?.provider && { provider: data.provider })
744
+ };
745
+ } else if (verifier === 'ownership-pseudonym') {
746
+ if (!data?.pseudonymId) {
747
+ throw new ValidationError('ownership-pseudonym requires pseudonymId in data parameter');
748
+ }
749
+ verificationData = {
750
+ pseudonymId: data.pseudonymId,
751
+ ...(data?.namespace && { namespace: data.namespace }),
752
+ ...(data?.displayName && { displayName: data.displayName }),
753
+ ...(data?.metadata && { metadata: data.metadata })
754
+ };
755
+ } else if (verifier === 'wallet-risk') {
756
+ // wallet-risk defaults to verifying the connected wallet
757
+ verificationData = {
758
+ walletAddress: data?.walletAddress || walletAddress,
759
+ ...(data?.provider && { provider: data.provider }),
760
+ // Mainnet-first semantics: if caller doesn't provide chainId, default to Ethereum mainnet (1).
761
+ // This avoids accidental testnet semantics for risk providers.
762
+ chainId: (typeof data?.chainId === 'number' && Number.isFinite(data.chainId)) ? data.chainId : 1,
763
+ ...(data?.includeDetails !== undefined && { includeDetails: data.includeDetails })
764
+ };
765
+ } else {
766
+ verificationData = data ? {
767
+ content,
768
+ owner: walletAddress,
769
+ ...data
770
+ } : {
771
+ content,
772
+ owner: walletAddress
773
+ };
774
+ }
775
+
776
+ const signedTimestamp = Date.now();
777
+ const verifierIds = [verifier];
778
+ const message = constructVerificationMessage({
779
+ walletAddress,
780
+ signedTimestamp,
781
+ data: verificationData,
782
+ verifierIds,
783
+ chainId: this._getHubChainId() // Protocol-managed chain
784
+ });
785
+
786
+ let signature;
787
+ try {
788
+ const toHexUtf8 = (s) => {
789
+ try {
790
+ const enc = new TextEncoder();
791
+ const bytes = enc.encode(s);
792
+ let hex = '0x';
793
+ for (let i = 0; i < bytes.length; i++) hex += bytes[i].toString(16).padStart(2, '0');
794
+ return hex;
795
+ } catch {
796
+ let hex = '0x';
797
+ for (let i = 0; i < s.length; i++) hex += s.charCodeAt(i).toString(16).padStart(2, '0');
798
+ return hex;
799
+ }
800
+ };
801
+
802
+ // Detect Farcaster wallet - requires hex-encoded messages FIRST
803
+ const isFarcasterWallet = (() => {
804
+ if (typeof window === 'undefined') return false;
805
+ try {
806
+ const w = window;
807
+ const fc = w.farcaster;
808
+ if (!fc || !fc.context) return false;
809
+ const fcProvider = fc.provider || fc.walletProvider || (fc.context && fc.context.walletProvider);
810
+ if (fcProvider === provider) return true;
811
+ if (w.mini && w.mini.wallet === provider && fc && fc.context) return true;
812
+ if (w.ethereum === provider && fc && fc.context) return true;
813
+ } catch {
814
+ // ignore: optional Farcaster detection
815
+ }
816
+ return false;
817
+ })();
818
+
819
+ if (isFarcasterWallet) {
820
+ try {
821
+ const hexMsg = toHexUtf8(message);
822
+ signature = await provider.request({ method: 'personal_sign', params: [hexMsg, walletAddress] });
823
+ } catch (e) {
824
+ // Fall through
825
+ }
826
+ }
827
+
828
+ if (!signature) {
829
+ try {
830
+ signature = await provider.request({ method: 'personal_sign', params: [message, walletAddress] });
831
+ } catch (e) {
832
+ const msg = String(e && (e.message || e.reason) || e || '').toLowerCase();
833
+ const errCode = (e && (e.code || (e.error && e.error.code))) || null;
834
+ const needsHex = /byte|bytes|invalid byte sequence|encoding|non-hex/i.test(msg);
835
+
836
+ const unsupportedRe =
837
+ /method.*not.*supported|unsupported|not implemented|method not found|unknown method|does not support/i;
838
+ const methodUnsupported = (
839
+ unsupportedRe.test(msg) ||
840
+ errCode === -32601 ||
841
+ errCode === 4200 ||
842
+ (msg.includes('personal_sign') && msg.includes('not')) ||
843
+ (msg.includes('request method') && msg.includes('not supported'))
844
+ );
845
+
846
+ if (methodUnsupported) {
847
+ this._log('personal_sign not supported; attempting eth_sign fallback');
848
+ try {
849
+ const enc = new TextEncoder();
850
+ const bytes = enc.encode(message);
851
+ const prefix = `\x19Ethereum Signed Message:\n${bytes.length}`;
852
+ const full = new Uint8Array(prefix.length + bytes.length);
853
+ for (let i = 0; i < prefix.length; i++) full[i] = prefix.charCodeAt(i);
854
+ full.set(bytes, prefix.length);
855
+ let payloadHex = '0x';
856
+ for (let i = 0; i < full.length; i++) payloadHex += full[i].toString(16).padStart(2, '0');
857
+ try {
858
+ if (typeof window !== 'undefined') window.__NEUS_ALLOW_ETH_SIGN__ = true;
859
+ } catch {
860
+ // ignore
861
+ }
862
+ signature = await provider.request({ method: 'eth_sign', params: [walletAddress, payloadHex], neusAllowEthSign: true });
863
+ try {
864
+ if (typeof window !== 'undefined') delete window.__NEUS_ALLOW_ETH_SIGN__;
865
+ } catch {
866
+ // ignore
867
+ }
868
+ } catch (fallbackErr) {
869
+ this._log('eth_sign fallback failed', { message: fallbackErr?.message || String(fallbackErr) });
870
+ try {
871
+ if (typeof window !== 'undefined') delete window.__NEUS_ALLOW_ETH_SIGN__;
872
+ } catch {
873
+ // ignore
874
+ }
875
+ throw e;
876
+ }
877
+ } else if (needsHex) {
878
+ this._log('Retrying personal_sign with hex-encoded message');
879
+ const hexMsg = toHexUtf8(message);
880
+ signature = await provider.request({ method: 'personal_sign', params: [hexMsg, walletAddress] });
881
+ } else {
882
+ throw e;
883
+ }
884
+ }
885
+ }
886
+ } catch (error) {
887
+ if (error.code === 4001) {
888
+ throw new ValidationError('User rejected the signature request. Signature is required to create proofs.');
889
+ }
890
+ throw new ValidationError(`Failed to sign verification message: ${error.message}`);
891
+ }
892
+
893
+ return this.verify({
894
+ verifierIds,
895
+ data: verificationData,
896
+ walletAddress,
897
+ signature,
898
+ signedTimestamp,
899
+ options
900
+ });
901
+ }
902
+
903
+ const {
904
+ verifierIds,
905
+ data,
906
+ walletAddress,
907
+ signature,
908
+ signedTimestamp,
909
+ chainId,
910
+ chain,
911
+ signatureMethod,
912
+ options = {}
913
+ } = params;
914
+
915
+ const resolvedChainId = chainId || (chain ? null : NEUS_CONSTANTS.HUB_CHAIN_ID);
916
+
917
+ // Normalize verifier IDs
918
+ const normalizeVerifierId = (id) => {
919
+ if (typeof id !== 'string') return id;
920
+ const match = id.match(/^(.*)@\d+$/);
921
+ return match ? match[1] : id;
922
+ };
923
+ const normalizedVerifierIds = Array.isArray(verifierIds) ? verifierIds.map(normalizeVerifierId) : [];
924
+
925
+ // Validate required parameters
926
+ if (!normalizedVerifierIds || normalizedVerifierIds.length === 0) {
927
+ throw new ValidationError('verifierIds array is required');
928
+ }
929
+ if (!data || typeof data !== 'object') {
930
+ throw new ValidationError('data object is required');
931
+ }
932
+ if (!walletAddress || typeof walletAddress !== 'string') {
933
+ throw new ValidationError('walletAddress is required');
934
+ }
935
+ if (!signature) {
936
+ throw new ValidationError('signature is required');
937
+ }
938
+ if (!signedTimestamp || typeof signedTimestamp !== 'number') {
939
+ throw new ValidationError('signedTimestamp is required');
940
+ }
941
+ if (resolvedChainId !== null && typeof resolvedChainId !== 'number') {
942
+ throw new ValidationError('chainId must be a number');
943
+ }
944
+
945
+ // Validate verifier data
946
+ for (const verifierId of normalizedVerifierIds) {
947
+ const validation = validateVerifierData(verifierId, data);
948
+ if (!validation.valid) {
949
+ throw new ValidationError(`Validation failed for verifier '${verifierId}': ${validation.error}`);
950
+ }
951
+ }
952
+
953
+ // Build options payload.
954
+ const optionsPayload = {
955
+ ...(options && typeof options === 'object' ? options : {}),
956
+ targetChains: Array.isArray(options?.targetChains) ? options.targetChains : [],
957
+ // Privacy and storage options (defaults)
958
+ privacyLevel: options?.privacyLevel || 'private',
959
+ publicDisplay: options?.publicDisplay || false,
960
+ storeOriginalContent:
961
+ typeof options?.storeOriginalContent === 'boolean' ? options.storeOriginalContent : true
962
+ };
963
+ if (typeof options?.enableIpfs === 'boolean') optionsPayload.enableIpfs = options.enableIpfs;
964
+
965
+ const requestData = {
966
+ verifierIds: normalizedVerifierIds,
967
+ data,
968
+ walletAddress,
969
+ signature,
970
+ signedTimestamp,
971
+ ...(resolvedChainId !== null && { chainId: resolvedChainId }),
972
+ ...(chain && { chain }),
973
+ ...(signatureMethod && { signatureMethod }),
974
+ options: optionsPayload
975
+ };
976
+
977
+ const response = await this._makeRequest('POST', '/api/v1/verification', requestData);
978
+
979
+ if (!response.success) {
980
+ throw new ApiError(`Verification failed: ${response.error?.message || 'Unknown error'}`, response.error);
981
+ }
982
+
983
+ return this._formatResponse(response);
984
+ }
985
+
986
+ /**
987
+ * Get proof record by proof receipt id.
988
+ *
989
+ * @param {string} proofId - Proof receipt ID (0x + 64 hex).
990
+ * @returns {Promise<Object>} Proof record and verification state
991
+ *
992
+ * @example
993
+ * const result = await client.getProof('0x...');
994
+ * console.log('Status:', result.status);
995
+ */
996
+ async getProof(proofId) {
997
+ if (!proofId || typeof proofId !== 'string') {
998
+ throw new ValidationError('proofId is required');
999
+ }
1000
+ const response = await this._makeRequest('GET', `/api/v1/proofs/${proofId}`);
1001
+
1002
+ if (!response.success) {
1003
+ throw new ApiError(`Failed to get proof: ${response.error?.message || 'Unknown error'}`, response.error);
1004
+ }
1005
+
1006
+ return this._formatResponse(response);
1007
+ }
1008
+
1009
+ /**
1010
+ * Get private proof record with wallet signature
1011
+ *
1012
+ * @param {string} proofId - Proof receipt ID.
1013
+ * @param {Object} wallet - Wallet provider (window.ethereum or ethers Wallet)
1014
+ * @returns {Promise<Object>} Private proof record and verification state
1015
+ *
1016
+ * @example
1017
+ * const privateData = await client.getPrivateProof(proofId, window.ethereum);
1018
+ */
1019
+ async getPrivateProof(proofId, wallet = null) {
1020
+ if (!proofId || typeof proofId !== 'string') {
1021
+ throw new ValidationError('proofId is required');
1022
+ }
1023
+
1024
+ const isPreSignedAuth = wallet &&
1025
+ typeof wallet === 'object' &&
1026
+ typeof wallet.walletAddress === 'string' &&
1027
+ typeof wallet.signature === 'string' &&
1028
+ typeof wallet.signedTimestamp === 'number';
1029
+ if (isPreSignedAuth) {
1030
+ const auth = wallet;
1031
+ const headers = {
1032
+ 'x-wallet-address': String(auth.walletAddress),
1033
+ 'x-signature': String(auth.signature),
1034
+ 'x-signed-timestamp': String(auth.signedTimestamp),
1035
+ ...(typeof auth.chain === 'string' && auth.chain.trim() ? { 'x-chain': auth.chain.trim() } : {}),
1036
+ ...(typeof auth.signatureMethod === 'string' && auth.signatureMethod.trim() ? { 'x-signature-method': auth.signatureMethod.trim() } : {})
1037
+ };
1038
+ const response = await this._makeRequest('GET', `/api/v1/proofs/${proofId}`, null, headers);
1039
+ if (!response.success) {
1040
+ throw new ApiError(
1041
+ `Failed to access private proof: ${response.error?.message || 'Unauthorized'}`,
1042
+ response.error
1043
+ );
1044
+ }
1045
+ return this._formatResponse(response);
1046
+ }
1047
+
1048
+ const providerWallet = wallet || this._getDefaultBrowserWallet();
1049
+ const { signerWalletAddress: walletAddress, provider } = await this._resolveWalletSigner(providerWallet);
1050
+ if (!walletAddress || typeof walletAddress !== 'string') {
1051
+ throw new ConfigurationError('No wallet accounts available');
1052
+ }
1053
+ const signerIsEvm = EVM_ADDRESS_RE.test(this._normalizeIdentity(walletAddress));
1054
+ const chain = this._inferChainForAddress(walletAddress);
1055
+ const signatureMethod = signerIsEvm ? 'eip191' : 'ed25519';
1056
+
1057
+ const signedTimestamp = Date.now();
1058
+
1059
+ const message = constructVerificationMessage({
1060
+ walletAddress,
1061
+ signedTimestamp,
1062
+ data: { action: 'access_private_proof', qHash: proofId },
1063
+ verifierIds: ['ownership-basic'],
1064
+ ...(signerIsEvm ? { chainId: this._getHubChainId() } : { chain })
1065
+ });
1066
+
1067
+ let signature;
1068
+ try {
1069
+ signature = await signMessage({
1070
+ provider,
1071
+ message,
1072
+ walletAddress,
1073
+ ...(signerIsEvm ? {} : { chain })
1074
+ });
1075
+ } catch (error) {
1076
+ if (error.code === 4001) {
1077
+ throw new ValidationError('User rejected signature request');
1078
+ }
1079
+ throw new ValidationError(`Failed to sign message: ${error.message}`);
1080
+ }
1081
+
1082
+ const response = await this._makeRequest('GET', `/api/v1/proofs/${proofId}`, null, {
1083
+ 'x-wallet-address': walletAddress,
1084
+ 'x-signature': signature,
1085
+ 'x-signed-timestamp': signedTimestamp.toString(),
1086
+ ...(signerIsEvm ? {} : { 'x-chain': chain, 'x-signature-method': signatureMethod })
1087
+ });
1088
+
1089
+ if (!response.success) {
1090
+ throw new ApiError(
1091
+ `Failed to access private proof: ${response.error?.message || 'Unauthorized'}`,
1092
+ response.error
1093
+ );
1094
+ }
1095
+
1096
+ return this._formatResponse(response);
1097
+ }
1098
+
1099
+ /**
1100
+ * Check API health
1101
+ *
1102
+ * @returns {Promise<boolean>} True if API is healthy
1103
+ */
1104
+ async isHealthy() {
1105
+ try {
1106
+ const response = await this._makeRequest('GET', '/api/v1/health');
1107
+ return response.success === true;
1108
+ } catch {
1109
+ return false;
1110
+ }
1111
+ }
1112
+
1113
+ /**
1114
+ * List available verifiers
1115
+ *
1116
+ * @returns {Promise<string[]>} Array of verifier IDs
1117
+ */
1118
+ async getVerifiers() {
1119
+ const catalog = await this.getVerifierCatalog();
1120
+ return Array.isArray(catalog?.data) ? catalog.data : [];
1121
+ }
1122
+
1123
+ /**
1124
+ * Get the public verifier catalog with per-verifier capabilities.
1125
+ * @returns {Promise<{data: string[], metadata: Record<string, { supportsDirectApi?: boolean }>, meta?: object}>}
1126
+ */
1127
+ async getVerifierCatalog() {
1128
+ const response = await this._makeRequest('GET', '/api/v1/verification/verifiers');
1129
+ if (!response.success) {
1130
+ throw new ApiError(`Failed to get verifiers: ${response.error?.message || 'Unknown error'}`, response.error);
1131
+ }
1132
+ return {
1133
+ data: Array.isArray(response.data) ? response.data : [],
1134
+ metadata:
1135
+ response.metadata && typeof response.metadata === 'object' && !Array.isArray(response.metadata)
1136
+ ? response.metadata
1137
+ : {},
1138
+ meta:
1139
+ response.meta && typeof response.meta === 'object' && !Array.isArray(response.meta)
1140
+ ? response.meta
1141
+ : {}
1142
+ };
1143
+ }
1144
+
1145
+ /**
1146
+ * POLL PROOF STATUS - Wait for verification completion
1147
+ *
1148
+ * Polls the verification status until it reaches a terminal state (completed or failed).
1149
+ * Useful for providing real-time feedback to users during verification.
1150
+ *
1151
+ * @param {string} proofId - Proof ID to poll.
1152
+ * @param {Object} [options] - Polling options
1153
+ * @param {number} [options.interval=5000] - Polling interval in ms
1154
+ * @param {number} [options.timeout=120000] - Total timeout in ms
1155
+ * @param {Function} [options.onProgress] - Progress callback function
1156
+ * @returns {Promise<Object>} Final verification status
1157
+ *
1158
+ * @example
1159
+ * const finalStatus = await client.pollProofStatus(proofId, {
1160
+ * interval: 3000,
1161
+ * timeout: 60000,
1162
+ * onProgress: (status) => {
1163
+ * console.log('Current status:', status.status);
1164
+ * if (status.crosschain) {
1165
+ * console.log(`Cross-chain: ${status.crosschain.finalized}/${status.crosschain.totalChains}`);
1166
+ * }
1167
+ * }
1168
+ * });
1169
+ */
1170
+ async pollProofStatus(proofId, options = {}) {
1171
+ const {
1172
+ interval = 5000,
1173
+ timeout = 120000,
1174
+ onProgress
1175
+ } = options;
1176
+
1177
+ if (!proofId || typeof proofId !== 'string') {
1178
+ throw new ValidationError('proofId is required');
1179
+ }
1180
+
1181
+ const startTime = Date.now();
1182
+ let consecutiveRateLimits = 0;
1183
+
1184
+ while (Date.now() - startTime < timeout) {
1185
+ try {
1186
+ const status = await this.getProof(proofId);
1187
+ consecutiveRateLimits = 0;
1188
+
1189
+ // Call progress callback if provided
1190
+ if (onProgress && typeof onProgress === 'function') {
1191
+ onProgress(status.data || status);
1192
+ }
1193
+
1194
+ // Check for terminal states
1195
+ const currentStatus = status.data?.status || status.status;
1196
+ if (this._isTerminalStatus(currentStatus)) {
1197
+ this._log('Verification completed', { status: currentStatus, duration: Date.now() - startTime });
1198
+ return status;
1199
+ }
1200
+
1201
+ // Wait before next poll
1202
+ await new Promise(resolve => setTimeout(resolve, interval));
1203
+
1204
+ } catch (error) {
1205
+ this._log('Status poll error', error.message);
1206
+ // Continue polling unless it's a validation error
1207
+ if (error instanceof ValidationError) {
1208
+ throw error;
1209
+ }
1210
+
1211
+ let nextDelay = interval;
1212
+ if (error instanceof ApiError && Number(error.statusCode) === 429) {
1213
+ consecutiveRateLimits += 1;
1214
+ const exp = Math.min(6, consecutiveRateLimits); // cap growth
1215
+ const base = Math.max(500, Number(interval) || 0);
1216
+ const max = 30000; // 30s cap to keep UX responsive
1217
+ const backoff = Math.min(max, base * Math.pow(2, exp));
1218
+ const jitter = Math.floor(backoff * (0.5 + Math.random() * 0.5)); // 50-100%
1219
+ nextDelay = jitter;
1220
+ }
1221
+
1222
+ await new Promise(resolve => setTimeout(resolve, nextDelay));
1223
+ }
1224
+ }
1225
+
1226
+ throw new NetworkError(`Polling timeout after ${timeout}ms`, 'POLLING_TIMEOUT');
1227
+ }
1228
+
1229
+ /**
1230
+ * DETECT CHAIN ID - Get current wallet chain
1231
+ *
1232
+ * @returns {Promise<number>} Current chain ID
1233
+ */
1234
+ async detectChainId() {
1235
+ if (typeof window === 'undefined' || !window.ethereum) {
1236
+ throw new ConfigurationError('No Web3 wallet detected');
1237
+ }
1238
+
1239
+ try {
1240
+ const chainId = await window.ethereum.request({ method: 'eth_chainId' });
1241
+ return parseInt(chainId, 16);
1242
+ } catch (error) {
1243
+ throw new NetworkError(`Failed to detect chain ID: ${error.message}`);
1244
+ }
1245
+ }
1246
+
1247
+ /** Revoke your own proof (owner-signed) */
1248
+ async revokeOwnProof(proofId, wallet) {
1249
+ if (!proofId || typeof proofId !== 'string') {
1250
+ throw new ValidationError('proofId is required');
1251
+ }
1252
+ const providerWallet = wallet || this._getDefaultBrowserWallet();
1253
+ const { signerWalletAddress: address, provider } = await this._resolveWalletSigner(providerWallet);
1254
+ if (!address || typeof address !== 'string') {
1255
+ throw new ConfigurationError('No wallet accounts available');
1256
+ }
1257
+ const signerIsEvm = EVM_ADDRESS_RE.test(this._normalizeIdentity(address));
1258
+ const chain = this._inferChainForAddress(address);
1259
+ const signatureMethod = signerIsEvm ? 'eip191' : 'ed25519';
1260
+ const signedTimestamp = Date.now();
1261
+
1262
+ const message = constructVerificationMessage({
1263
+ walletAddress: address,
1264
+ signedTimestamp,
1265
+ data: { action: 'revoke_proof', qHash: proofId },
1266
+ verifierIds: ['ownership-basic'],
1267
+ ...(signerIsEvm ? { chainId: this._getHubChainId() } : { chain })
1268
+ });
1269
+
1270
+ let signature;
1271
+ try {
1272
+ signature = await signMessage({
1273
+ provider,
1274
+ message,
1275
+ walletAddress: address,
1276
+ ...(signerIsEvm ? {} : { chain })
1277
+ });
1278
+ } catch (error) {
1279
+ if (error.code === 4001) {
1280
+ throw new ValidationError('User rejected revocation signature');
1281
+ }
1282
+ throw new ValidationError(`Failed to sign revocation: ${error.message}`);
1283
+ }
1284
+
1285
+ const res = await fetch(`${this.config.apiUrl}/api/v1/proofs/revoke-self/${proofId}`, {
1286
+ method: 'POST',
1287
+ headers: { 'Content-Type': 'application/json' },
1288
+ body: JSON.stringify({
1289
+ walletAddress: address,
1290
+ signature,
1291
+ signedTimestamp,
1292
+ ...(signerIsEvm ? {} : { chain, signatureMethod })
1293
+ })
1294
+ });
1295
+ const json = await res.json();
1296
+ if (!json.success) {
1297
+ throw new ApiError(json.error?.message || 'Failed to revoke proof', json.error);
1298
+ }
1299
+ return true;
1300
+ }
1301
+
1302
+ /**
1303
+ * GET PROOFS BY WALLET - Fetch proofs for a wallet address
1304
+ *
1305
+ * @param {string} walletAddress - Wallet identity (EVM/Solana/DID)
1306
+ * @param {Object} [options] - Filter options
1307
+ * @param {number} [options.limit] - Max results (default: 50; higher limits require owner access)
1308
+ * @param {number} [options.offset] - Pagination offset (default: 0)
1309
+ * @param {string} [options.qHash] - Filter to single proof by qHash
1310
+ * @returns {Promise<Object>} Proofs result
1311
+ *
1312
+ * @example
1313
+ * const result = await client.getProofsByWallet('0x...', {
1314
+ * limit: 50,
1315
+ * offset: 0
1316
+ * });
1317
+ */
1318
+ async getProofsByWallet(walletAddress, options = {}) {
1319
+ if (!walletAddress || typeof walletAddress !== 'string') {
1320
+ throw new ValidationError('walletAddress is required');
1321
+ }
1322
+
1323
+ const id = walletAddress.trim();
1324
+ const pathId = /^0x[a-fA-F0-9]{40}$/i.test(id) ? id.toLowerCase() : id;
1325
+
1326
+ const qs = [];
1327
+ if (options.limit) qs.push(`limit=${encodeURIComponent(String(options.limit))}`);
1328
+ if (options.offset) qs.push(`offset=${encodeURIComponent(String(options.offset))}`);
1329
+ if (options.qHash) qs.push(`qHash=${encodeURIComponent(options.qHash.toLowerCase())}`);
1330
+
1331
+ const query = qs.length ? `?${qs.join('&')}` : '';
1332
+ const response = await this._makeRequest(
1333
+ 'GET',
1334
+ `/api/v1/proofs/by-wallet/${encodeURIComponent(pathId)}${query}`
1335
+ );
1336
+
1337
+ if (!response.success) {
1338
+ throw new ApiError(`Failed to get proofs: ${response.error?.message || 'Unknown error'}`, response.error);
1339
+ }
1340
+
1341
+ // Normalize response structure
1342
+ const proofs = response.data?.proofs || response.data || response.proofs || [];
1343
+ return {
1344
+ success: true,
1345
+ proofs: Array.isArray(proofs) ? proofs : [],
1346
+ totalCount: response.data?.totalCount ?? proofs.length,
1347
+ hasMore: Boolean(response.data?.hasMore),
1348
+ nextOffset: response.data?.nextOffset ?? null
1349
+ };
1350
+ }
1351
+
1352
+ /**
1353
+ * Get proofs by wallet (owner access)
1354
+ *
1355
+ * Signs an owner-access intent and requests private proofs via signature headers.
1356
+ *
1357
+ * @param {string} walletAddress - Wallet identity (EVM/Solana/DID)
1358
+ * @param {Object} [options]
1359
+ * @param {number} [options.limit] - Max results (server enforces caps)
1360
+ * @param {number} [options.offset] - Pagination offset
1361
+ * @param {string} [options.qHash] - Filter to single proof by qHash
1362
+ * @param {Object} [wallet] - Optional injected wallet/provider (MetaMask/ethers Wallet)
1363
+ */
1364
+ async getPrivateProofsByWallet(walletAddress, options = {}, wallet = null) {
1365
+ if (!walletAddress || typeof walletAddress !== 'string') {
1366
+ throw new ValidationError('walletAddress is required');
1367
+ }
1368
+
1369
+ const id = walletAddress.trim();
1370
+ const pathId = /^0x[a-fA-F0-9]{40}$/i.test(id) ? id.toLowerCase() : id;
1371
+
1372
+ const requestedIdentity = this._normalizeIdentity(id);
1373
+
1374
+ // Auto-detect wallet if not provided
1375
+ if (!wallet) {
1376
+ const defaultWallet = this._getDefaultBrowserWallet();
1377
+ if (!defaultWallet) {
1378
+ throw new ConfigurationError('No wallet provider available');
1379
+ }
1380
+ wallet = defaultWallet;
1381
+ }
1382
+
1383
+ const { signerWalletAddress, provider } = await this._resolveWalletSigner(wallet);
1384
+
1385
+ if (!signerWalletAddress || typeof signerWalletAddress !== 'string') {
1386
+ throw new ConfigurationError('No wallet accounts available');
1387
+ }
1388
+
1389
+ const normalizedSigner = this._normalizeIdentity(signerWalletAddress);
1390
+ if (!normalizedSigner || normalizedSigner !== requestedIdentity) {
1391
+ throw new ValidationError('wallet must match walletAddress for private proof access');
1392
+ }
1393
+
1394
+ const signerIsEvm = EVM_ADDRESS_RE.test(normalizedSigner);
1395
+ const chain = this._inferChainForAddress(normalizedSigner, options?.chain);
1396
+ const signatureMethod = (typeof options?.signatureMethod === 'string' && options.signatureMethod.trim())
1397
+ ? options.signatureMethod.trim()
1398
+ : (signerIsEvm ? 'eip191' : 'ed25519');
1399
+
1400
+ const signedTimestamp = Date.now();
1401
+ const message = constructVerificationMessage({
1402
+ walletAddress: signerWalletAddress,
1403
+ signedTimestamp,
1404
+ data: { action: 'access_private_proofs_by_wallet', walletAddress: normalizedSigner },
1405
+ verifierIds: ['ownership-basic'],
1406
+ ...(signerIsEvm ? { chainId: this._getHubChainId() } : { chain })
1407
+ });
1408
+
1409
+ let signature;
1410
+ try {
1411
+ signature = await signMessage({
1412
+ provider,
1413
+ message,
1414
+ walletAddress: signerWalletAddress,
1415
+ ...(signerIsEvm ? {} : { chain })
1416
+ });
1417
+ } catch (error) {
1418
+ if (error.code === 4001) {
1419
+ throw new ValidationError('User rejected signature request');
1420
+ }
1421
+ throw new ValidationError(`Failed to sign message: ${error.message}`);
1422
+ }
1423
+
1424
+ const qs = [];
1425
+ if (options.limit) qs.push(`limit=${encodeURIComponent(String(options.limit))}`);
1426
+ if (options.offset) qs.push(`offset=${encodeURIComponent(String(options.offset))}`);
1427
+ if (options.qHash) qs.push(`qHash=${encodeURIComponent(options.qHash.toLowerCase())}`);
1428
+ const query = qs.length ? `?${qs.join('&')}` : '';
1429
+
1430
+ const response = await this._makeRequest('GET', `/api/v1/proofs/by-wallet/${encodeURIComponent(pathId)}${query}`, null, {
1431
+ 'x-wallet-address': signerWalletAddress,
1432
+ 'x-signature': signature,
1433
+ 'x-signed-timestamp': signedTimestamp.toString(),
1434
+ ...(signerIsEvm ? {} : { 'x-chain': chain, 'x-signature-method': signatureMethod })
1435
+ });
1436
+
1437
+ if (!response.success) {
1438
+ throw new ApiError(`Failed to get proofs: ${response.error?.message || 'Unauthorized'}`, response.error);
1439
+ }
1440
+
1441
+ const proofs = response.data?.proofs || response.data || response.proofs || [];
1442
+ return {
1443
+ success: true,
1444
+ proofs: Array.isArray(proofs) ? proofs : [],
1445
+ totalCount: response.data?.totalCount ?? proofs.length,
1446
+ hasMore: Boolean(response.data?.hasMore),
1447
+ nextOffset: response.data?.nextOffset ?? null
1448
+ };
1449
+ }
1450
+
1451
+ /**
1452
+ * Gate check (HTTP API) — minimal eligibility response.
1453
+ *
1454
+ * Calls the gate endpoint and returns a **minimal** yes/no response.
1455
+ * By default this checks **public + unlisted** proofs.
1456
+ *
1457
+ * When `includePrivate=true`, this can perform owner-signed private checks
1458
+ * (no full proof payloads returned) by providing a wallet/provider.
1459
+ *
1460
+ * Prefer this over `checkGate()` when you need the smallest, most stable
1461
+ * response shape and do not need full proof payloads.
1462
+ *
1463
+ * @param {Object} params - Gate check query params
1464
+ * @param {string} params.address - Wallet identity to check (EVM/Solana/DID)
1465
+ * @param {Array<string>|string} [params.verifierIds] - Verifier IDs to match (array or comma-separated)
1466
+ * @param {boolean} [params.requireAll] - Require all verifierIds on a single proof
1467
+ * @param {number} [params.minCount] - Minimum number of matching proofs
1468
+ * @param {number} [params.sinceDays] - Optional time window in days
1469
+ * @param {number} [params.since] - Optional unix timestamp in ms (lower bound)
1470
+ * @param {number} [params.limit] - Max rows to scan (server may clamp)
1471
+ * @param {boolean} [params.includePrivate] - Include private proofs for owner-authenticated requests
1472
+ * @param {boolean} [params.includeQHashes] - Include matched qHashes in response (minimal IDs only)
1473
+ * @param {Object} [params.wallet] - Optional wallet/provider used to sign includePrivate owner checks
1474
+ * @returns {Promise<Object>} API response ({ success, data })
1475
+ */
1476
+ async gateCheck(params = {}) {
1477
+ const address = (params.address || '').toString();
1478
+ if (!validateUniversalAddress(address, params.chain)) {
1479
+ throw new ValidationError('Valid address is required');
1480
+ }
1481
+
1482
+ // Build query string safely (stringify all values; allow arrays for common fields)
1483
+ const qs = new URLSearchParams();
1484
+ qs.set('address', address);
1485
+
1486
+ const setIfPresent = (key, value) => {
1487
+ if (value === undefined || value === null) return;
1488
+ const str = typeof value === 'string' ? value : String(value);
1489
+ if (str.length === 0) return;
1490
+ qs.set(key, str);
1491
+ };
1492
+
1493
+ const setBoolIfPresent = (key, value) => {
1494
+ if (value === undefined || value === null) return;
1495
+ qs.set(key, value ? 'true' : 'false');
1496
+ };
1497
+
1498
+ const setCsvIfPresent = (key, value) => {
1499
+ if (value === undefined || value === null) return;
1500
+ if (Array.isArray(value)) {
1501
+ const items = value.map(v => String(v).trim()).filter(Boolean);
1502
+ if (items.length) qs.set(key, items.join(','));
1503
+ return;
1504
+ }
1505
+ setIfPresent(key, value);
1506
+ };
1507
+
1508
+ // Common filters
1509
+ setCsvIfPresent('verifierIds', params.verifierIds);
1510
+ setBoolIfPresent('requireAll', params.requireAll);
1511
+ setIfPresent('minCount', params.minCount);
1512
+ setIfPresent('sinceDays', params.sinceDays);
1513
+ setIfPresent('since', params.since);
1514
+ setIfPresent('limit', params.limit);
1515
+ setBoolIfPresent('includePrivate', params.includePrivate);
1516
+ setBoolIfPresent('includeQHashes', params.includeQHashes);
1517
+
1518
+ // Common match filters (optional)
1519
+ setIfPresent('referenceType', params.referenceType);
1520
+ setIfPresent('referenceId', params.referenceId);
1521
+ setIfPresent('tag', params.tag);
1522
+ setCsvIfPresent('tags', params.tags);
1523
+ setIfPresent('contentType', params.contentType);
1524
+ setIfPresent('content', params.content);
1525
+ setIfPresent('contentHash', params.contentHash);
1526
+
1527
+ // Asset/ownership filters
1528
+ setIfPresent('contractAddress', params.contractAddress);
1529
+ setIfPresent('tokenId', params.tokenId);
1530
+ setIfPresent('chainId', params.chainId);
1531
+ setIfPresent('domain', params.domain);
1532
+ setIfPresent('minBalance', params.minBalance);
1533
+
1534
+ // Wallet filters
1535
+ setIfPresent('provider', params.provider);
1536
+ setIfPresent('handle', params.handle);
1537
+ setIfPresent('namespace', params.namespace);
1538
+ setIfPresent('ownerAddress', params.ownerAddress);
1539
+ setIfPresent('riskLevel', params.riskLevel);
1540
+ setBoolIfPresent('sanctioned', params.sanctioned);
1541
+ setBoolIfPresent('poisoned', params.poisoned);
1542
+ setIfPresent('primaryWalletAddress', params.primaryWalletAddress);
1543
+ setIfPresent('secondaryWalletAddress', params.secondaryWalletAddress);
1544
+ setIfPresent('verificationMethod', params.verificationMethod);
1545
+
1546
+ let headersOverride = null;
1547
+ if (params.includePrivate === true) {
1548
+ const provided = params.privateAuth && typeof params.privateAuth === 'object' ? params.privateAuth : null;
1549
+ let auth = provided;
1550
+ if (!auth) {
1551
+ const walletCandidate = params.wallet || this._getDefaultBrowserWallet();
1552
+ if (walletCandidate) {
1553
+ auth = await this._buildPrivateGateAuth({
1554
+ address,
1555
+ wallet: walletCandidate,
1556
+ chain: params.chain,
1557
+ signatureMethod: params.signatureMethod
1558
+ });
1559
+ }
1560
+ }
1561
+ if (!auth) {
1562
+ // Without a signer: public and unlisted proofs only.
1563
+ } else {
1564
+ const normalizedAuthWallet = this._normalizeIdentity(auth.walletAddress);
1565
+ const normalizedAddress = this._normalizeIdentity(address);
1566
+ if (!normalizedAuthWallet || normalizedAuthWallet !== normalizedAddress) {
1567
+ throw new ValidationError('privateAuth.walletAddress must match address when includePrivate=true');
1568
+ }
1569
+ const authChain = (typeof auth.chain === 'string' && auth.chain.includes(':')) ? auth.chain.trim() : null;
1570
+ const authSignatureMethod = (typeof auth.signatureMethod === 'string' && auth.signatureMethod.trim())
1571
+ ? auth.signatureMethod.trim()
1572
+ : null;
1573
+ headersOverride = {
1574
+ 'x-wallet-address': String(auth.walletAddress),
1575
+ 'x-signature': String(auth.signature),
1576
+ 'x-signed-timestamp': String(auth.signedTimestamp),
1577
+ ...(authChain ? { 'x-chain': authChain } : {}),
1578
+ ...(authSignatureMethod ? { 'x-signature-method': authSignatureMethod } : {})
1579
+ };
1580
+ }
1581
+ }
1582
+
1583
+ const response = await this._makeRequest('GET', `/api/v1/proofs/check?${qs.toString()}`, null, headersOverride);
1584
+ if (!response.success) {
1585
+ throw new ApiError(`Gate check failed: ${response.error?.message || 'Unknown error'}`, response.error);
1586
+ }
1587
+ return response;
1588
+ }
1589
+
1590
+ /**
1591
+ * CHECK GATE Local preview against proofs you already have in memory or from `getProofsByWallet`.
1592
+ *
1593
+ * **Not authoritative for access control.** For production allow/deny, use {@link NeusClient#gateCheck}
1594
+ * (`GET /api/v1/proofs/check`), which applies the same rules as the NEUS API. This method is useful for
1595
+ * UI previews, offline-ish flows, or when you already fetched proofs and want a quick match without
1596
+ * another round trip — but it can disagree with the server (e.g. `contentHash` matching uses a local
1597
+ * approximation when proof data only has inline `content`; the API uses the standard server-side hash).
1598
+ *
1599
+ * Gate-first verification: checks if wallet has valid proofs satisfying requirements.
1600
+ * Returns which requirements are missing/expired.
1601
+ *
1602
+ * @param {Object} params - Gate check parameters
1603
+ * @param {string} params.walletAddress - Target wallet
1604
+ * @param {Array<Object>} params.requirements - Array of gate requirements
1605
+ * @param {string} params.requirements[].verifierId - Required verifier ID
1606
+ * @param {number} [params.requirements[].maxAgeMs] - Max proof age in ms (TTL)
1607
+ * @param {boolean} [params.requirements[].optional] - If true, not required for gate satisfaction
1608
+ * @param {number} [params.requirements[].minCount] - Minimum proofs needed (default: 1)
1609
+ * @param {Object} [params.requirements[].match] - Verifier data match criteria
1610
+ * Supports nested fields: 'reference.type', 'reference.id', 'content', 'contentHash', 'input.*', 'license.*'
1611
+ * Supports verifier-specific:
1612
+ * - NFT/Token: 'contractAddress', 'tokenId', 'chainId', 'ownerAddress', 'minBalance'
1613
+ * - DNS: 'domain', 'walletAddress'
1614
+ * - Wallet-link: 'primaryWalletAddress', 'secondaryWalletAddress', 'chain', 'signatureMethod'
1615
+ * - Contract-ownership: 'contractAddress', 'chainId', 'owner', 'verificationMethod'
1616
+ * Note: contentHash matching uses approximation in SDK; for exact SHA-256 matching, use backend API
1617
+ * @param {Array} [params.proofs] - Pre-fetched proofs (skip API call)
1618
+ * @returns {Promise<Object>} Gate result with satisfied, missing, existing
1619
+ *
1620
+ * @example
1621
+ * // Basic gate check
1622
+ * const result = await client.checkGate({
1623
+ * walletAddress: '0x...',
1624
+ * requirements: [
1625
+ * { verifierId: 'nft-ownership', match: { contractAddress: '0x...' } }
1626
+ * ]
1627
+ * });
1628
+ */
1629
+ async checkGate(params) {
1630
+ const { walletAddress, requirements, proofs: preloadedProofs } = params;
1631
+
1632
+ if (!validateUniversalAddress(walletAddress)) {
1633
+ throw new ValidationError('Valid walletAddress is required');
1634
+ }
1635
+ if (!Array.isArray(requirements) || requirements.length === 0) {
1636
+ throw new ValidationError('requirements array is required and must not be empty');
1637
+ }
1638
+
1639
+ // Use preloaded proofs or fetch from API
1640
+ let proofs = preloadedProofs;
1641
+ if (!proofs) {
1642
+ const result = await this.getProofsByWallet(walletAddress, { limit: 100 });
1643
+ proofs = result.proofs;
1644
+ }
1645
+
1646
+ const now = Date.now();
1647
+ const existing = {};
1648
+ const missing = [];
1649
+
1650
+ for (const req of requirements) {
1651
+ const { verifierId, maxAgeMs, optional = false, minCount = 1, match } = req;
1652
+
1653
+ // Find matching proofs for this verifier
1654
+ const matchingProofs = (proofs || []).filter(proof => {
1655
+ // Must have this verifier and be verified
1656
+ const verifiedVerifiers = proof.verifiedVerifiers || [];
1657
+ const verifier = verifiedVerifiers.find(
1658
+ v => v.verifierId === verifierId && v.verified === true
1659
+ );
1660
+ if (!verifier) return false;
1661
+
1662
+ // Check proof is not revoked
1663
+ if (proof.revokedAt) return false;
1664
+
1665
+ // Check TTL if specified
1666
+ if (maxAgeMs) {
1667
+ const proofTimestamp = proof.createdAt || proof.signedTimestamp || 0;
1668
+ const proofAge = now - proofTimestamp;
1669
+ if (proofAge > maxAgeMs) return false;
1670
+ }
1671
+
1672
+ // Check custom match criteria if specified
1673
+ if (match && typeof match === 'object') {
1674
+ const data = verifier.data || {};
1675
+ const input = data.input || {}; // NFT/token verifiers store fields in input
1676
+ // Gate format: match as array [{path, op, value}]. Convert to {path: value} for iteration.
1677
+ const matchObj = Array.isArray(match)
1678
+ ? Object.fromEntries(
1679
+ match
1680
+ .filter((m) => m && m.path && String(m.value ?? '').trim() !== '')
1681
+ .map((m) => [String(m.path).trim(), m.value])
1682
+ )
1683
+ : match;
1684
+
1685
+ for (const [key, expected] of Object.entries(matchObj)) {
1686
+ let actualValue = null;
1687
+
1688
+ // Handle nested field access
1689
+ if (key.includes('.')) {
1690
+ const parts = key.split('.');
1691
+ let current = data;
1692
+
1693
+ if (parts[0] === 'input' && input) {
1694
+ current = input;
1695
+ parts.shift();
1696
+ }
1697
+
1698
+ for (const part of parts) {
1699
+ if (current && typeof current === 'object' && part in current) {
1700
+ current = current[part];
1701
+ } else {
1702
+ current = undefined;
1703
+ break;
1704
+ }
1705
+ }
1706
+ actualValue = current;
1707
+ } else {
1708
+ actualValue = input[key] || data[key];
1709
+ }
1710
+
1711
+ if (key === 'content' && actualValue === undefined) {
1712
+ actualValue = data.reference?.id || data.content;
1713
+ }
1714
+
1715
+ // Special handling for verifier-specific fields (claim-based, aligns with proofs/check)
1716
+ if (actualValue === undefined) {
1717
+ const claims = data.claims || {};
1718
+ if (key === 'contractAddress') {
1719
+ actualValue = input.contractAddress || data.contractAddress;
1720
+ } else if (key === 'tokenId') {
1721
+ actualValue = input.tokenId || data.tokenId;
1722
+ } else if (key === 'chainId') {
1723
+ actualValue = input.chainId || data.chainId;
1724
+ } else if (key === 'ownerAddress') {
1725
+ actualValue = input.ownerAddress || data.owner || data.walletAddress;
1726
+ } else if (key === 'minBalance') {
1727
+ actualValue = input.minBalance || data.onChainData?.requiredMinBalance || data.minBalance;
1728
+ } else if (key === 'primaryWalletAddress') {
1729
+ actualValue = data.primaryWalletAddress;
1730
+ } else if (key === 'secondaryWalletAddress') {
1731
+ actualValue = data.secondaryWalletAddress;
1732
+ } else if (key === 'verificationMethod') {
1733
+ actualValue = data.verificationMethod;
1734
+ } else if (key === 'domain') {
1735
+ actualValue = data.domain;
1736
+ } else if (key === 'handle') {
1737
+ actualValue = data.handle || data.pseudonymId;
1738
+ } else if (key === 'namespace') {
1739
+ actualValue =
1740
+ data.namespace !== undefined && data.namespace !== null && data.namespace !== ''
1741
+ ? data.namespace
1742
+ : 'neus';
1743
+ } else if (key === 'claims.sanctions_passed') {
1744
+ actualValue = claims.sanctions_passed ?? claims.sanctionsPassed;
1745
+ } else if (key === 'claims.age_min') {
1746
+ actualValue = claims.age_min ?? claims.ageMin;
1747
+ } else if (key === 'neusPersonhoodId') {
1748
+ actualValue = data.neusPersonhoodId;
1749
+ } else if (key === 'riskLevel') {
1750
+ actualValue = data.riskLevel;
1751
+ } else if (key === 'sanctioned') {
1752
+ actualValue = data.sanctioned;
1753
+ } else if (key === 'poisoned') {
1754
+ actualValue = data.poisoned;
1755
+ }
1756
+ }
1757
+
1758
+ // Content hash check (approximation)
1759
+ if (key === 'contentHash' && actualValue === undefined && data.content) {
1760
+ try {
1761
+ // Simple hash approximation for non-crypto envs
1762
+ let hash = 0;
1763
+ const str = String(data.content);
1764
+ for (let i = 0; i < str.length; i++) {
1765
+ const char = str.charCodeAt(i);
1766
+ hash = ((hash << 5) - hash) + char;
1767
+ hash = hash & hash;
1768
+ }
1769
+ actualValue = `0x${ Math.abs(hash).toString(16).padStart(64, '0').substring(0, 66)}`;
1770
+ } catch {
1771
+ actualValue = String(data.content);
1772
+ }
1773
+ }
1774
+
1775
+ let normalizedActual = actualValue;
1776
+ let normalizedExpected = expected;
1777
+
1778
+ if (actualValue === undefined || actualValue === null) {
1779
+ return false;
1780
+ }
1781
+
1782
+ // Boolean claims (sanctions_passed, sanctioned, poisoned)
1783
+ if (typeof actualValue === 'boolean' || (key && (key.includes('sanctions') || key.includes('sanctioned') || key.includes('poisoned')))) {
1784
+ const bActual = Boolean(actualValue);
1785
+ const bExpected = expected === true || expected === 'true' || String(expected).toLowerCase() === 'true';
1786
+ if (bActual !== bExpected) return false;
1787
+ continue;
1788
+ }
1789
+
1790
+ if (key === 'chainId' || (key === 'tokenId' && (typeof actualValue === 'number' || !isNaN(Number(actualValue))))) {
1791
+ normalizedActual = Number(actualValue);
1792
+ normalizedExpected = Number(expected);
1793
+ if (isNaN(normalizedActual) || isNaN(normalizedExpected)) return false;
1794
+ }
1795
+ else if (typeof actualValue === 'string' && (actualValue.startsWith('0x') || actualValue.length > 20)) {
1796
+ normalizedActual = actualValue.toLowerCase();
1797
+ normalizedExpected = typeof expected === 'string' ? String(expected).toLowerCase() : expected;
1798
+ }
1799
+ else {
1800
+ normalizedActual = actualValue;
1801
+ normalizedExpected = expected;
1802
+ }
1803
+
1804
+ if (normalizedActual !== normalizedExpected) {
1805
+ return false;
1806
+ }
1807
+ }
1808
+ }
1809
+
1810
+ return true;
1811
+ });
1812
+
1813
+ if (matchingProofs.length >= minCount) {
1814
+ const sorted = matchingProofs.sort((a, b) => (b.createdAt || 0) - (a.createdAt || 0));
1815
+ existing[verifierId] = sorted[0];
1816
+ } else if (!optional) {
1817
+ missing.push(req);
1818
+ }
1819
+ }
1820
+
1821
+ return {
1822
+ satisfied: missing.length === 0,
1823
+ missing,
1824
+ existing,
1825
+ allProofs: proofs
1826
+ };
1827
+ }
1828
+
1829
+ async _getWalletAddress() {
1830
+ if (typeof window === 'undefined' || !window.ethereum) {
1831
+ throw new ConfigurationError('No Web3 wallet detected');
1832
+ }
1833
+
1834
+ const accounts = await window.ethereum.request({ method: 'eth_accounts' });
1835
+ if (!accounts || accounts.length === 0) {
1836
+ throw new ConfigurationError('No wallet accounts available');
1837
+ }
1838
+
1839
+ return accounts[0];
1840
+ }
1841
+
1842
+ async _makeRequest(method, endpoint, data = null, headersOverride = null) {
1843
+ const url = `${this.baseUrl}${endpoint}`;
1844
+
1845
+ const controller = new AbortController();
1846
+ const timeoutId = setTimeout(() => controller.abort(), this.config.timeout);
1847
+
1848
+ const options = {
1849
+ method,
1850
+ headers: { ...this.defaultHeaders, ...(headersOverride || {}) },
1851
+ signal: controller.signal
1852
+ };
1853
+
1854
+ if (data && (method === 'POST' || method === 'PUT' || method === 'PATCH')) {
1855
+ options.body = JSON.stringify(data);
1856
+ }
1857
+
1858
+ this._log(`${method} ${endpoint}`, data ? { requestBodyKeys: Object.keys(data) } : {});
1859
+
1860
+ try {
1861
+ const response = await fetch(url, options);
1862
+ clearTimeout(timeoutId);
1863
+
1864
+ let responseData;
1865
+ try {
1866
+ responseData = await response.json();
1867
+ } catch {
1868
+ responseData = { error: { message: 'Invalid JSON response' } };
1869
+ }
1870
+
1871
+ if (!response.ok) {
1872
+ throw ApiError.fromResponse(response, responseData);
1873
+ }
1874
+
1875
+ return responseData;
1876
+
1877
+ } catch (error) {
1878
+ clearTimeout(timeoutId);
1879
+
1880
+ if (error.name === 'AbortError') {
1881
+ throw new NetworkError(`Request timeout after ${this.config.timeout}ms`);
1882
+ }
1883
+
1884
+ if (error instanceof ApiError) {
1885
+ throw error;
1886
+ }
1887
+
1888
+ throw new NetworkError(`Network error: ${error.message}`);
1889
+ }
1890
+ }
1891
+
1892
+ _formatResponse(response) {
1893
+ const proofId = response?.data?.proofId ||
1894
+ response?.proofId ||
1895
+ response?.data?.resource?.proofId ||
1896
+ response?.data?.qHash ||
1897
+ response?.qHash ||
1898
+ response?.data?.resource?.qHash ||
1899
+ response?.data?.id;
1900
+ const qHash = response?.data?.qHash ||
1901
+ response?.qHash ||
1902
+ response?.data?.resource?.qHash ||
1903
+ proofId ||
1904
+ response?.data?.id;
1905
+ const finalProofId = proofId || qHash || null;
1906
+ const finalQHash = qHash || proofId || finalProofId;
1907
+
1908
+ const status = response?.data?.status ||
1909
+ response?.status ||
1910
+ response?.data?.resource?.status ||
1911
+ (response?.success ? 'completed' : 'unknown');
1912
+
1913
+ return {
1914
+ success: response.success,
1915
+ proofId: finalProofId,
1916
+ qHash: finalQHash,
1917
+ status,
1918
+ data: response.data,
1919
+ message: response.message,
1920
+ timestamp: Date.now(),
1921
+ proofUrl: finalProofId ? `${this.baseUrl}/api/v1/proofs/${finalProofId}` : null
1922
+ };
1923
+ }
1924
+
1925
+ _isTerminalStatus(status) {
1926
+ const terminalStates = [
1927
+ 'verified',
1928
+ 'verified_crosschain_propagated',
1929
+ 'completed_all_successful',
1930
+ 'failed',
1931
+ 'error',
1932
+ 'rejected',
1933
+ 'cancelled'
1934
+ ];
1935
+ return typeof status === 'string' && terminalStates.some(state => status.includes(state));
1936
+ }
1937
+
1938
+ /** SDK logging (opt-in via config.enableLogging) */
1939
+ _log(message, data = {}) {
1940
+ if (this.config.enableLogging) {
1941
+ try {
1942
+ const prefix = '[neus/sdk]';
1943
+ if (data && Object.keys(data).length > 0) {
1944
+ // eslint-disable-next-line no-console
1945
+ console.log(prefix, message, data);
1946
+ } else {
1947
+ // eslint-disable-next-line no-console
1948
+ console.log(prefix, message);
1949
+ }
1950
+ } catch {
1951
+ // ignore logging failures
1952
+ }
1953
+ }
1954
+ }
1955
+ }
1956
+
1957
+ // Export signing helpers for advanced use
1958
+ export { PORTABLE_PROOF_SIGNER_HEADER, constructVerificationMessage };